RSA versus DSA / Protocol 1 versus Protocol 2

Ben Lindstrom mouring at etoh.eviladmin.org
Mon Feb 25 07:39:11 EST 2002


On Sun, 24 Feb 2002, Ben Lindstrom wrote:

>
>
> On Sun, 24 Feb 2002, Bob Proulx wrote:
>
> >
> > > # diff -u /etc/sshd_config sshd_config
> > [...]
> > > +Port 2020
> > > +Protocol 2,1
> > > -HostKey /etc/ssh_host_dsa_key
> > [...]
> > > $ sshd -f sshd_config
> >
> > Interesting.  Right there this dies for me.
> >
> >   cd /etc
> >   cp sshd_config sshd_config.hacked
> >   edit sshd_config.hacked
> >   diff -u0 | grep -v ^@@
> >   --- sshd_config Sun Feb 24 13:47:16 2002
> >   +++ sshd_config.hacked  Sun Feb 24 13:53:52 2002
> >   -Port 22
> >   -#Protocol 2,1
> >   +Port 2022
> >   +Protocol 2,1
> >   -HostKey /etc/ssh_host_dsa_key
> >   +# HostKey /etc/ssh_host_dsa_key
> >
> >   [root at joseki /etc]# sshd -f sshd_config.hacked
> >   Disabling protocol version 2. Could not load host key
> >
> >   telnet localhost 2022
> >   SSH-1.5-OpenSSH_3.0.2p1
> >
> > I will dig around in the code a little and see what I find.
> >
> > > # ssh -2 -p2020 localhost
> > > root at localhost's password:
> >
> > Since you normally use Protocol 2 this host is already in your
> > known_hosts file.  Which means I can't see if this is using the DSA
> > host key or an RSA host key.
> >
> To tell you the truth.. it is RSA.. I did not think about passing a DSA
> key.  I tend to disable DSA key support.
>
> Again it goes back to my own personal policy of "any unrequired feature
> that can be easily disabled should be disabled".  Just so happens this
> box has DSA key support enabled.
>
> $ ssh -1 -o"HostKeyAlgorithms ssh-dss" localhost
> Protocol major versions differ: 1 vs. 2
>
Scratch that it should be:

$ ssh -p2020 -o"HostKeyAlgorithms ssh-dss" localhost
no hostkey alg

Which is what I would expect.  Forcing DSA keys onto a server that does
not suppot DSA keys.

- Ben




More information about the openssh-unix-dev mailing list