Question about Server Authentication

Damien Miller djm at mindrot.org
Thu Oct 1 18:35:04 EST 2009


On Wed, 30 Sep 2009, Steeve BARBEAU wrote:

> @Dan : Yes a little because if you want to automate SSH connection in a
> script, your are obliged to known which algorithm the server is using (RSA,
> DSA or both). The only "solution" i see, is to configure all servers in the
> same way, but if OpenSSH developers can correct this in a future version it
> will be very nice.
> @Damien : "HostKeyAlgorithms ssh-dss, ssh-rsa" is just to change which key
> use, isn't it ? With this ("HostKeyAlgorithms ssh-dss, ssh-rsa") , you are
> obliged to have the DSA server key in your known_hosts file. If you have no
> key or the RSA, it ask you to add the DSA.
> 
> So the ideal for me will be, in the case where both RSA and DSA are enabled,
> that ssh client checks the known_hosts file for both RSA and DSA keys,
> actually i don't think that OpenSSH can do this. Actually, OpenSSH
> (client-side) searchs for the prefer algorithm and if it doesn't found it,
> it wants to add this key without try server authentication with the other
> key (if another is present)

Please file a request at https://bugzilla.mindrot.org/ to track this, though
I have to say it will be pretty far down the priority queue - most people
just pick a key type (almost always the default) and accept that. I think
that very few users would have the client/server keys ever change type.

-d


More information about the openssh-unix-dev mailing list