Manual Page for ssh_config

Dirk GOUDERS gouders at et.bocholt.fh-ge.de
Thu May 8 00:49:20 EST 2003 

Hi Roumen,

 > Please find answers in quoted text.

thanks for your answers.

 > >and I noticed that the manual page for ssh_config probably needs to be
 > >fixed.  The manual page says that the default value for the parameter
 > >HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong,
 > >
 > definitely NO

OK, then I am misunderstanding something and I would be glad if you
could help me to understand it.

Maybe I should also tell about the server's OpenSSH version.

OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f

 > >because ssh only uses RSA-Keys in my .ssh/known_hosts if I
 > >explicitly set the parameter with "ssh-rsa,ssh-dss".  If the
 > >
 > Please check closely:
 >   1. command-line options

I only give the user/hostname, i.e. "ssh root at somehost.myorg".

 >   2. user's configuration file ($HOME/.ssh/config)

That file doesn't exist.

 >   3. system-wide configuration file (usually /etc/ssh/ssh_config)

This file exists (initial comments left out):

Host *
#  HostKeyAlgorithms ssh-rsa,ssh-dss
#   ForwardAgent no
   ForwardX11 yes
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   BatchMode no
#   CheckHostIP no
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
#   VersionAddendum FreeBSD-20030201


 > >parameter remains commented out, ssh doesn't use the already known
 > >RSA key:
 > >
 > Are you sure ?

Well with the above configuration, I get asked the following question:

 > >WARNING: RSA key found for host somehost.myorg
 > >in /home/somebody/.ssh/known_hosts:1
 > >RSA key fingerprint d9:ea:ea:c6:10:ab:59:92:87:c9:f0:40:d4:b7:9b:77.
 > >The authenticity of host 'somehost.myorg (192.168.0.22)' can't be establish
 > ed,
 > >but keys of different type are already known for this host.
 > >DSA key fingerprint is 14:cc:25:36:17:77:a9:e2:40:84:5a:03:b7:b1:08:5f.
 > >Are you sure you want to continue connecting (yes/no)? no
 > >
 > Just write "yes" and see what happen at next session.

And if I answer "yes", a ssh-dss key is appended to my
~/.ssh/known_hosts file, allthough a ssh-rsa key for that host already
exits at the top of the file.

But, if I use a ssh_config with the parameter
"HostKeyAlgorithms ssh-rsa,ssh-dss" enabled, I am not asked a question
and (I hope) the ssh-rsa key for somehost.myorg out of
~/.ssh/known_hosts is used.

 > I think that your server was started only (!) with DSS key, after this a 
 > RSA key is added and restarted or at first session to "somehost.myorg" 
 > HostKeyAlgorithms was "ssh-dss,ssh-rsa".

Can you tell me, how I can check this?

Best regards,

Dirk

More information about the openssh-unix-dev mailing list