ssh-ed25519 and ecdsa-sha2-nistp256 host keys
Damien Miller
djm at mindrot.org
Thu Sep 17 07:53:57 AEST 2020
On Wed, 16 Sep 2020, Ryan Mulligan wrote:
> Here you go:
[snip]
> The relevant part of my /etc/ssh/ssh_config is:
>
> Host *
> AddressFamily inet
> PubkeyAcceptedKeyTypes +ssh-dss
> HostKeyAlgorithms +ssh-dss
This is why you are seeing the hostkey warnings.
When HostKeyAlgorithms is left at the default, then ssh will consider the
public keys you have listed in UserKnownHostsFile and SystemKnownHostsFile
when constructing the KEXINIT host key algorithm proposal.
This is done so that, when the client and server agree on their host key
algorithms, the selected algorithm is likely to be once that the client
already has a recorded key for. Practically, it would look like this in
your debug output:
> debug3: hostkeys_foreach: reading file "/home/djm/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/djm/.ssh/known_hosts:207
debug3: load_hostkeys: loaded 1 keys from test
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Here, ssh found a RSA key in ~/.ssh/known_hosts and ordered the host key
algorithms to prefer it. This ordering step is only performed when the
user has not specified their own HostKeyAlgorithms. Your config does, so
you get the default set, with ssh-dss appended.
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
> debug2: host key algorithms:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
which prefers ECDSA.
As far as fixing this, you a couple of options:
1) Learn the other hostkeys for your destination. You can do this
automatically using ssh -oUpdateHostKeys=yes ... (this will become
the default once I fix a few corner-cases). This will avoid host key
warnings.
2) Explicitly list the host key algorithms for this destination. I.e.
have a "HostKeyAlgorithms ssh-ed25519" under a "Host [whatever]"
block in your config. I don't really recommend this.
3) Restrict the set of hosts that you are adding ssh-dss for. Instead of
doing it for "Host *", only do it for the hosts that strictly need it.
ssh-dss is a weak algorithm and is disabled for this reason. IMO this
is the best solution.
Hope this helps,
Damien Miller
More information about the openssh-unix-dev
mailing list