Question about Server Authentication

Steeve BARBEAU petfire85 at yahoo.fr
Thu Oct 1 07:40:14 EST 2009


@Dan : Yes a little because if you want to automate SSH connection in a
script, your are obliged to known which algorithm the server is using (RSA,
DSA or both). The only "solution" i see, is to configure all servers in the
same way, but if OpenSSH developers can correct this in a future version it
will be very nice.
@Damien : "HostKeyAlgorithms ssh-dss, ssh-rsa" is just to change which key
use, isn't it ? With this ("HostKeyAlgorithms ssh-dss, ssh-rsa") , you are
obliged to have the DSA server key in your known_hosts file. If you have no
key or the RSA, it ask you to add the DSA.

So the ideal for me will be, in the case where both RSA and DSA are enabled,
that ssh client checks the known_hosts file for both RSA and DSA keys,
actually i don't think that OpenSSH can do this. Actually, OpenSSH
(client-side) searchs for the prefer algorithm and if it doesn't found it,
it wants to add this key without try server authentication with the other
key (if another is present)


More information about the openssh-unix-dev mailing list