Strange crypto choices
Stuart Henderson
stu at spacehopper.org
Mon May 28 01:27:21 AEST 2018
On 2018-05-26, Christian Weisgerber <naddy at mips.inka.de> wrote:
> On 2018-05-26, Stuart Henderson <stu at spacehopper.org> wrote:
>
>> Changing HostKeyAlgorithms means that the existing entries in known_hosts
>> don't match, so the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"
>> message is triggered.
>
> That's not true. I'm using the default HostKeyAlgorithms along
> with a known_hosts file composed almost entirely of ssh-ed25519
> entries.
>
> The first entry in HostKeyAlgorithms is only used to pick the key
> type on first contact; afterwards ssh uses the key type from
> known_hosts as long as that type has an entry somewhere in
> HostKeyAlgorithms.
>
> As ssh_config(5) says under HostKeyAlgorithms:
>
> If hostkeys are known for the destination host then this default
> is modified to prefer their algorithms.
>
Ah - this *was* a problem (I remember it when ECDSA was added),
but I see it was fixed in 2010.
More information about the openssh-unix-dev
mailing list