[Bug 747] host authentication requires RSA1 keys

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Oct 23 06:36:36 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=747





------- Additional Comments From gbburkhardt at aaahawk.com  2003-10-23 06:36 -------
I realize now that the source of my confusion was that the default for ssh on
one machine was protocol 1, and on the other, protocol 2.  So the bit in the ssh
man page that says:

"If the server machine does not have the
 client's host key in /etc/ssh/ssh_known_hosts, it can be stored
 in $HOME/.ssh/known_hosts.  The easiest way to do this is to con-
 nect back to the client from the server machine using ssh; this
 will automatically add the host key to $HOME/.ssh/known_hosts."

didn't work.

I believe that the documentation could be improved by adding something like 
this to the ssh man page, where the /etc/ssh/ssh_known_hosts file is discussed:

    /usr/local/etc/ssh_known_hosts 

	Systemwide list of known host keys.  This file should be prepared
	by the system administrator to contain the public host keys of
	all machines in the organization.  This file should be world-
	readable.  This file contains public keys, one per line, in the
	following format (fields separated by spaces): system name, pub-
	lic key and optional comment field.  When different names are
	used for the same machine, all such names should be listed, sepa-
	rated by commas.  The format is described on the sshd(8) manual
	page.

        If the system wide ssh_known_hosts file is to be used for protocol 1
        Rhosts RSA Authentication, there must be an entry with an RSA1 key
        and the IP address of the machine as a system name.  For use with
        protocol 2 host based authentication, the entry must have an RSA key
        and the IP address as a system name.  'ssh-keyscan' can be used to
        obtain the key from the host with the appropriate type, e.g.,

	  ssh-keyscan -t rsa1 ip-address >> /usr/local/etc/ssh_known_hosts

I haven't been able to find anywhere in the documentation that it's required
that the IP address of the machine be listed as a system name.  

There a short reference in the sshd_config man page to which key is used by
which protocol, and others in the ssh-keygen/ssh-keyscan utilities, but it
can't hurt to note that in the ssh_known_hosts files, separate keys are
required if the server is to handle both protocols.

Thanks.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list