RSA versus DSA / Protocol 1 versus Protocol 2
Ben Lindstrom
mouring at etoh.eviladmin.org
Mon Feb 25 07:39:11 EST 2002
On Sun, 24 Feb 2002, Ben Lindstrom wrote:
>
>
> On Sun, 24 Feb 2002, Bob Proulx wrote:
>
> >
> > > # diff -u /etc/sshd_config sshd_config
> > [...]
> > > +Port 2020
> > > +Protocol 2,1
> > > -HostKey /etc/ssh_host_dsa_key
> > [...]
> > > $ sshd -f sshd_config
> >
> > Interesting. Right there this dies for me.
> >
> > cd /etc
> > cp sshd_config sshd_config.hacked
> > edit sshd_config.hacked
> > diff -u0 | grep -v ^@@
> > --- sshd_config Sun Feb 24 13:47:16 2002
> > +++ sshd_config.hacked Sun Feb 24 13:53:52 2002
> > -Port 22
> > -#Protocol 2,1
> > +Port 2022
> > +Protocol 2,1
> > -HostKey /etc/ssh_host_dsa_key
> > +# HostKey /etc/ssh_host_dsa_key
> >
> > [root at joseki /etc]# sshd -f sshd_config.hacked
> > Disabling protocol version 2. Could not load host key
> >
> > telnet localhost 2022
> > SSH-1.5-OpenSSH_3.0.2p1
> >
> > I will dig around in the code a little and see what I find.
> >
> > > # ssh -2 -p2020 localhost
> > > root at localhost's password:
> >
> > Since you normally use Protocol 2 this host is already in your
> > known_hosts file. Which means I can't see if this is using the DSA
> > host key or an RSA host key.
> >
> To tell you the truth.. it is RSA.. I did not think about passing a DSA
> key. I tend to disable DSA key support.
>
> Again it goes back to my own personal policy of "any unrequired feature
> that can be easily disabled should be disabled". Just so happens this
> box has DSA key support enabled.
>
> $ ssh -1 -o"HostKeyAlgorithms ssh-dss" localhost
> Protocol major versions differ: 1 vs. 2
>
Scratch that it should be:
$ ssh -p2020 -o"HostKeyAlgorithms ssh-dss" localhost
no hostkey alg
Which is what I would expect. Forcing DSA keys onto a server that does
not suppot DSA keys.
- Ben
More information about the openssh-unix-dev
mailing list