Compatibility issue: OpenSSH v2.3.0p1 vs. 3.0.2: RSA keys

Gert Doering gert at
Wed Mar 6 21:50:59 EST 2002


On Wed, Mar 06, 2002 at 10:13:15AM +0100, Ulrich Windl wrote:
> > > Password login worked fine, but a password for an existing and 
> > > configured RSA1 key was never asked, the key never tried. It always 
> > > fell back to plain password authentication.
> > > 
> > > After fiddling with the client configuration without success, I found 
> > > out that using "ssh -1" made the client succeed.
> > 
> > RSA1 keys won't be used on "-2" connections, they're protocol 1 only.
> > 
> > So without "-1" you effectively do not *have* a key, and thus ssh won't
> > ask you for a password.
> However if you disable plain password in the client's configuration, no 
> connection can be made using the auto-negotiated protocol, while the v1 
> protocol would work just fine.

That's the way it is.  V2 is the default now (documented in the release
notes to 2.9, if I remember correctly), and it won't use V1 keys.

> The problem seems to be that OpenSSH uses version numbers to decide 
> about features, while an explicit feature list would be the way to go.
> OpenSSH will never know all the implementations of the SSH protocol.

I can't follow you here.  The server states what protocols it can do, and
the client knows which one it prefers in case there are multiple options.

If you want to stay with protocol 1 for servers that support it, put

"protocol 1,2"

into your ssh_config file.  Then ssh will default to "-1" and fall back to
"-2" for servers that don't support ssh protocol 1 (and of course your
key won't work then, no matter how much you complain - protocol 1 keys
*do not work* with protocol 2).

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at
fax: +49-89-35655025                        gert.doering at

More information about the openssh-unix-dev mailing list