Manual Page for ssh_config
openssh at roumenpetrov.info
openssh at roumenpetrov.info
Fri May 9 16:50:11 EST 2003
I have rsa (line 6) and dsa (line 7) keys of localhost in
$HOME/.ssh/known_hosts
Samples:
$ ssh -v -o HostKeyAlgorithms=ssh-rsa,ssh-dss localhost
...
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /XXXX/.ssh/known_hosts:6
debug1: ssh_rsa_verify: signature correct
...
$ ssh -v -o HostKeyAlgorithms=ssh-dss,ssh-rsa localhost
...
debug1: Host 'localhost' is known and matches the DSA host key.
debug1: Found key in /XXXX/.ssh/known_hosts:7
debug1: ssh_dss_verify: signature correct
...
Sorry, but I cannot understand where is problem and I cannot test with
too old server version (insufficient time).
When only rsa key is in ~/.ssh/known_hosts and ssh-dss is after ssh-rsa
no DSA key is appended to file.
Dirk GOUDERS wrote:
>Hi Roumen,
>
> > Please find answers in quoted text.
>
>thanks for your answers.
>
> > >and I noticed that the manual page for ssh_config probably needs to be
> > >fixed. The manual page says that the default value for the parameter
> > >HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong,
> > >
> > definitely NO
>
>OK, then I am misunderstanding something and I would be glad if you
>could help me to understand it.
>
>Maybe I should also tell about the server's OpenSSH version.
>
>OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
>
> > >because ssh only uses RSA-Keys in my .ssh/known_hosts if I
> > >explicitly set the parameter with "ssh-rsa,ssh-dss". If the
> > >
> > Please check closely:
> > 1. command-line options
>
>I only give the user/hostname, i.e. "ssh root at somehost.myorg".
>
> > 2. user's configuration file ($HOME/.ssh/config)
>
>That file doesn't exist.
>
> > 3. system-wide configuration file (usually /etc/ssh/ssh_config)
>
>This file exists (initial comments left out):
>
>Host *
># HostKeyAlgorithms ssh-rsa,ssh-dss
># ForwardAgent no
> ForwardX11 yes
># RhostsAuthentication no
># RhostsRSAAuthentication no
># RSAAuthentication yes
># PasswordAuthentication yes
># BatchMode no
># CheckHostIP no
># StrictHostKeyChecking ask
># IdentityFile ~/.ssh/identity
># IdentityFile ~/.ssh/id_rsa
># IdentityFile ~/.ssh/id_dsa
># Port 22
># Protocol 2,1
># Cipher 3des
># Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
># EscapeChar ~
># VersionAddendum FreeBSD-20030201
>
>
> > >parameter remains commented out, ssh doesn't use the already known
> > >RSA key:
> > >
> > Are you sure ?
>
>Well with the above configuration, I get asked the following question:
>
> > >WARNING: RSA key found for host somehost.myorg
> > >in /home/somebody/.ssh/known_hosts:1
> > >RSA key fingerprint d9:ea:ea:c6:10:ab:59:92:87:c9:f0:40:d4:b7:9b:77.
> > >The authenticity of host 'somehost.myorg (192.168.0.22)' can't be establish
> > ed,
> > >but keys of different type are already known for this host.
> > >DSA key fingerprint is 14:cc:25:36:17:77:a9:e2:40:84:5a:03:b7:b1:08:5f.
> > >Are you sure you want to continue connecting (yes/no)? no
> > >
> > Just write "yes" and see what happen at next session.
>
>And if I answer "yes", a ssh-dss key is appended to my
>~/.ssh/known_hosts file, allthough a ssh-rsa key for that host already
>exits at the top of the file.
>
>But, if I use a ssh_config with the parameter
>"HostKeyAlgorithms ssh-rsa,ssh-dss" enabled, I am not asked a question
>and (I hope) the ssh-rsa key for somehost.myorg out of
>~/.ssh/known_hosts is used.
>
> > I think that your server was started only (!) with DSS key, after this a
> > RSA key is added and restarted or at first session to "somehost.myorg"
> > HostKeyAlgorithms was "ssh-dss,ssh-rsa".
>
>Can you tell me, how I can check this?
>
>Best regards,
>
>Dirk
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
>
More information about the openssh-unix-dev
mailing list