ssh-ed25519 and ecdsa-sha2-nistp256 host keys

Damien Miller djm at
Thu Sep 17 07:53:57 AEST 2020

On Wed, 16 Sep 2020, Ryan Mulligan wrote:

> Here you go:


> The relevant part of my /etc/ssh/ssh_config is:
> Host *
> AddressFamily inet
> PubkeyAcceptedKeyTypes +ssh-dss
> HostKeyAlgorithms +ssh-dss

This is why you are seeing the hostkey warnings.

When HostKeyAlgorithms is left at the default, then ssh will consider the
public keys you have listed in UserKnownHostsFile and SystemKnownHostsFile
when constructing the KEXINIT host key algorithm proposal.

This is done so that, when the client and server agree on their host key
algorithms, the selected algorithm is likely to be once that the client
already has a recorded key for. Practically, it would look like this in
your debug output:

> debug3: hostkeys_foreach: reading file "/home/djm/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/djm/.ssh/known_hosts:207
debug3: load_hostkeys: loaded 1 keys from test
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01 at,rsa-sha2-256-cert-v01 at,ssh-rsa-cert-v01 at,rsa-sha2-512,rsa-sha2-256,ssh-rsa

Here, ssh found a RSA key in ~/.ssh/known_hosts and ordered the host key
algorithms to prefer it. This ordering step is only performed when the
user has not specified their own HostKeyAlgorithms. Your config does, so
you get the default set, with ssh-dss appended.

> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256 at,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
> debug2: host key algorithms:
> ecdsa-sha2-nistp256-cert-v01 at,ecdsa-sha2-nistp384-cert-v01 at,ecdsa-sha2-nistp521-cert-v01 at,ssh-ed25519-cert-v01 at,rsa-sha2-512-cert-v01 at,rsa-sha2-256-cert-v01 at,ssh-rsa-cert-v01 at,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss

which prefers ECDSA.

As far as fixing this, you a couple of options:

1) Learn the other hostkeys for your destination. You can do this
   automatically using ssh -oUpdateHostKeys=yes ... (this will become
   the default once I fix a few corner-cases). This will avoid host key

2) Explicitly list the host key algorithms for this destination. I.e.
   have a "HostKeyAlgorithms ssh-ed25519" under a "Host [whatever]"
   block in your config. I don't really recommend this.

3) Restrict the set of hosts that you are adding ssh-dss for. Instead of
   doing it for "Host *", only do it for the hosts that strictly need it.
   ssh-dss is a weak algorithm and is disabled for this reason. IMO this
   is the best solution.

Hope this helps,
Damien Miller

More information about the openssh-unix-dev mailing list