[Bug 3219] Can't connect to a server that is using several host keys of the same type

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Oct 4 14:33:49 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3219

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
(In reply to jatjasjem from comment #2)
> I am not sure what would be the use of multiple host keys of the
> same type if
> only one is offered at the same time. It the protocol doesn't allow
> retrying
> using a different host key, perhaps the server could refuse to start
> if given
> several host keys of the same type?

No, because we have a protocol extension (UpdateHostkeys) that makes
multiple host keys of the same type actually useful, e.g. gracefully
rotating keys.

> In either case, while is possible to connect using different ECDSA
> keys, the
> algorithms must be specified explicitly. This seems to be due to the
> fact that
> given an ECDSA key `order_hostkeyalgs` in `sshconnect2.c` will
> return all
> ECDSA host key algorithms, including the ones incompatible with the
> key. This,
> in turn, seems to be due to the fact that OpenSSH considers the
> three ECDSA
> keys as being of the same type. 
> 
> Since you can't verify e.g. ECDSA nistp521 signature using 
> "ecdsa-sha2-nistp384", perhaps OpenSSH could view the ECDSA keys as 
> different ones?

Yes, I'll fix that.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list