Question about Server Authentication

Damien Miller djm at mindrot.org
Wed Sep 30 10:05:15 EST 2009


On Mon, 7 Sep 2009, Steeve BARBEAU wrote:

>
> Hi guys,
>
> I'm working on a project which concern SSH and there is something i
>don't understand about server authentication. So I explain my problem:
>
> - When you authorize only RSA keys in the sshd_config on the server,
>you need to have the RSA public key of this server in the known_hosts
>file of the client. This is absolutely normal.
>
> - When you authorize only DSA keys in the sshd_config on the server,
>you need to have the DSA public key of this server in the known_hosts
>file of the client. This is also absolutely normal.
>
> - But when you authorize both RSA and DSA keys, you are obliged to
>have the RSA public key in the known_hosts file, without it fails. If
>there is only DSA in the known_hosts file it fails, and this is that I
>don't understand. Why the server authentication doesn't work with the
>DSA key when both DSA and RSA are authorize. (Of course if both are
>present in the known_host file, it works). So if somebody can help me
>about this, it will be nice ;)

When the server offers both ssh-rsa and ssh-dss server key types, the
client's preference determines what is acutally used. Since the client
offers ssh-rsa,ssh-dss by default (controllable via HostKeyAlgorithms),
RSA will always win if the server supports it.

It might be possible to look for a DSA key in known_hosts and change the
order if one is found without a corresponding RSA key, but I don't really
see much point.

-d


More information about the openssh-unix-dev mailing list