Question about Server Authentication

Dan Kaminsky dan at doxpara.com
Thu Oct 1 18:58:02 EST 2009


On Thu, Oct 1, 2009 at 10:35 AM, Damien Miller <djm at mindrot.org> wrote:
> On Wed, 30 Sep 2009, Steeve BARBEAU wrote:
>
>> @Dan : Yes a little because if you want to automate SSH connection in a
>> script, your are obliged to known which algorithm the server is using (RSA,
>> DSA or both). The only "solution" i see, is to configure all servers in the
>> same way, but if OpenSSH developers can correct this in a future version it
>> will be very nice.
>> @Damien : "HostKeyAlgorithms ssh-dss, ssh-rsa" is just to change which key
>> use, isn't it ? With this ("HostKeyAlgorithms ssh-dss, ssh-rsa") , you are
>> obliged to have the DSA server key in your known_hosts file. If you have no
>> key or the RSA, it ask you to add the DSA.
>>
>> So the ideal for me will be, in the case where both RSA and DSA are enabled,
>> that ssh client checks the known_hosts file for both RSA and DSA keys,
>> actually i don't think that OpenSSH can do this. Actually, OpenSSH
>> (client-side) searchs for the prefer algorithm and if it doesn't found it,
>> it wants to add this key without try server authentication with the other
>> key (if another is present)
>
> Please file a request at https://bugzilla.mindrot.org/ to track this, though
> I have to say it will be pretty far down the priority queue - most people
> just pick a key type (almost always the default) and accept that. I think
> that very few users would have the client/server keys ever change type.
>
> -d
>

Poked around on this a little.  I'm curious, looks like the codepath is:

check_key_in_hostfiles -> check_host_in_hostfile ->
check_host_in_hostfile_by_key_or_type.  Also looks like *key contains
the actual type of the key being tested.

Could we put this a little bit after hostfile_read_key in
check_host_in_hostfile_by_key_or_type and call it a day?

if(key != NULL &&
   found != NULL &&
   key->type != found->type) { continue; }


More information about the openssh-unix-dev mailing list