Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Dec 2009 03:35:47 -0800
From:      Jeremy Chadwick <freebsd@jdc.parodius.com>
To:        freebsd-stable@freebsd.org
Subject:   Re: SSH oddness with 8.0-STABLE
Message-ID:  <20091201113547.GA26501@icarus.home.lan>
In-Reply-To: <20091201105704.GA93677@osiris.chen.org.nz>
References:  <20091201105704.GA93677@osiris.chen.org.nz>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 01, 2009 at 11:57:04PM +1300, Jonathan Chen wrote:
> I recently upgraded from 7.2-STABLE to 8.0-STABLE, and I'm
> encountering key-conflicts warnings whenever I attempt to ssh to a
> host that I've previously ssh'd into. eg:
> 
>     WARNING: DSA key found for host xx.yy.zz
>     in /home/jonc/.ssh/known_hosts:5
>     DSA key fingerprint 5e:cf:fe:9d:c2:1d:6c:77:81:e5:73:ce:cd:bb:55:dc.
> 
>     The authenticity of host 'xx.yy.zz (nnn.nn.nn.nn)' can't be established
>     but keys of different type are already known for this host.
>     RSA key fingerprint is
>     ce:5b:eb:d3:10:ef:a7:c1:8d:86:06:6e:c6:14:d1:6f.
>     Are you sure you want to continue connecting (yes/no)? ^C
> 
> After a flurry of panic, where I had to determine whether I had been
> subjected to a man-in-the-middle attack, I verified that this warning
> for all the hosts in my known_hosts file.
> 
> Is anyone else seeing this? Is this a known issue?

Can you clarify which system you upgraded to 8.0-STABLE on, the client
(where you'd be SSH'ing from) or the server (where you'd be SSH'ing to)?

Usually the error you're seeing is indication that either the client or
server changed from DSA to RSA, or vice-versa.  I don't see anything in
/etc/ssh/ssh_config or /etc/ssh/sshd_config between 7.2-STABLE and
8.0-STABLE which would indicate this changed.

If the 8.0 upgrade was done on the server: if you upgraded the OS
in-place (vs. a full reinstall), did you use mergemaster and
accidentally nuke something you previously had in place?  I would look
in /etc/ssh using ls -lU to look for any new files which were added
(such as new keys being generated), or just ls -l and look for
modification times.

If the 8.0 upgrade was done on the server: if you did a full reinstall
(thus newfs/format), you probably lost the keys generated in /etc/ssh
and therefore "/etc/rc.d/sshd start" created them when first enabled and
run.

I'll note that 7.2-STABLE uses OpenSSH 5.1p1, while 8.0-STABLE uses
OpenSSH 5.2p1.  The default cipher changed but I'm pretty sure that
wouldn't cause what you're seeing.

http://www.openssh.com/txt/release-5.2

-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091201113547.GA26501>