Question regarding Host keys.

Mahoda Ratnayaka mahodardev at
Wed Sep 7 13:59:57 AEST 2016


I'm having a problem when I add "HostKeyAlgorithms +ssh-dss" to the
ssh_config file the host key will always negotiate to a wrong one. In my
case it will negotiate to "ecdsa-sha2-nistp256". The client was already
configured with the servers rsa public key, before the change I added to
the ssh_config file I could see from the debug that server and client will
negotiate to use ssh-rsa as expected. After change unfortunately the client
and server will negotiate to use ecdsa-sha2-nistp256, then later will
complain "REMOTE HOST IDENTIFICATION HAS CHANGED" and fail. I got around
this by adding the ecdsa public key to the know hosts.

After some instigation I noticed that before my change the host keys will
reorder to use the rsa based ones first and the others after, but not after
my change. So, I would like to know is there a reason for not allowing the
keys to reorder after specifying them in the ssh_config file, and will this
behaviour be changed in an upcoming release. I think it would be nice to
reorder the host keys even when they from the config file.


More information about the openssh-unix-dev mailing list