Compatibility issue: OpenSSH v2.3.0p1 vs. 3.0.2: RSA keys
Gert Doering
gert at greenie.muc.de
Wed Mar 6 21:50:59 EST 2002
Hi,
On Wed, Mar 06, 2002 at 10:13:15AM +0100, Ulrich Windl wrote:
> > > Password login worked fine, but a password for an existing and
> > > configured RSA1 key was never asked, the key never tried. It always
> > > fell back to plain password authentication.
> > >
> > > After fiddling with the client configuration without success, I found
> > > out that using "ssh -1" made the client succeed.
> >
> > RSA1 keys won't be used on "-2" connections, they're protocol 1 only.
> >
> > So without "-1" you effectively do not *have* a key, and thus ssh won't
> > ask you for a password.
>
> However if you disable plain password in the client's configuration, no
> connection can be made using the auto-negotiated protocol, while the v1
> protocol would work just fine.
That's the way it is. V2 is the default now (documented in the release
notes to 2.9, if I remember correctly), and it won't use V1 keys.
> The problem seems to be that OpenSSH uses version numbers to decide
> about features, while an explicit feature list would be the way to go.
> OpenSSH will never know all the implementations of the SSH protocol.
I can't follow you here. The server states what protocols it can do, and
the client knows which one it prefers in case there are multiple options.
If you want to stay with protocol 1 for servers that support it, put
"protocol 1,2"
into your ssh_config file. Then ssh will default to "-1" and fall back to
"-2" for servers that don't support ssh protocol 1 (and of course your
key won't work then, no matter how much you complain - protocol 1 keys
*do not work* with protocol 2).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list