Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Feb 2003 11:32:48 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Changes in sshd?
Message-ID:  <20030224113248.GB22678@happy-idiot-talk.infracaninophi>
In-Reply-To: <000001c2db9b$08b52be0$1916c60a@win2k.clickcom.com>
References:  <000001c2db9b$08b52be0$1916c60a@win2k.clickcom.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Sun, Feb 23, 2003 at 07:23:57PM -0500, John Straiton wrote:
> Greets,
> 	I have many times set up the authorized_keys so that remote
> ssh/scp/rsync clients can connect between machines without a password.
> However, in attempting to do this again using a 5.0-RELEASE machine
> trying to connect to a 4.7 machine, I'm getting nothing but:
> 
> %ssh 192.168.0.23
> Host key verification failed.
>  
> This was all working last week, then I reinstalled my 4.X machine to
> this 5.0 and went through the routine to recreate an identity.pub and
> copy it to the remote machine. Now it just won't work.

My guess is that when you did your re-install you didn't backup and
restore the host keys for your machine.  That means that all of the
accounts on systems you've been connecting to will have the old host
keys in the ${HOME}/.ssh/known_hosts files.  That leads the ssh
servers on those machines to believe that your newly installed 5.0
server is actually some sort of impostor, hence they refuse access.

The fix is easy, if tedious: edit all of the known_hosts files and
delete the lines referencing that particular server, either by name or
by IP number.  The known_hosts data will be rebuilt as people connect
to and fro during their normal usage, although it may cause automated
jobs to fail untill you can pre-load the known_hosts with the right
stuff.  See ssh-keyscan(1) for away of doing that.

> I noticed that ssh-keygen worked slightly differently in 5.0 ..Did
> something change with it's default behavior that I need to take into
> account in order to talk to a 4.7 machine?

Yes --- that's due to the import of OpenSSH 3.x into the tree, which
supports the SSHv2 protocol and some new key types.  I notice above
that you're talking about 'identity.pub' which indicates you're
probably using the old RSA1 key type and hence the SSHv1 protocol.  If
you can, you would be well advised to switch to SSHv2 which is rather
more secure, and supported pretty much everywhere now.  It seems that
the best key type to use is RSA which implies default key file names
of 'id_rsa' and 'id_rsa.pub'.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030224113248.GB22678>