ssh-client should always revoke ssh-dss keys not only when coming from the agent
Neuser, Philipp
Philipp.Neuser at fu-berlin.de
Wed Mar 15 07:45:18 AEDT 2017
Hi!
when calling ssh-add on a dsa key i'm asked for passphrase and the key is perfectly accepted and listed by ssh-agent. A dsa key is also used by ssh-client when found in home directory and passphrase entered is correct. But a dsa key offered to ssh-client by ssh-agent is skipped as long as ssh-dss is not listed in PubkeyAcceptedKeyTypes.
debug1: Skipping ssh-dss key /home/XXXX/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/XXXX/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Trying private key: /home/XXX/.ssh/id_dsa
Enter passphrase for key '/home/XXX/.ssh/id_dsa':
debug1: Authentication succeeded (publickey).
This results in a strange behavior to users. You are asked for your passphrase by agent and again by ssh-client and nobody tells you that you should not use a dsa key anymore.
Shouldn't ssh client also reject dsa keys found in home as long as ssh-dss is not listed in PubkeyAccpetedKeyTypes or reject when trying to add keys to ssh-agent?
Regards,
Philipp Neuser
More information about the openssh-unix-dev
mailing list