From owner-freebsd-questions Mon Feb 24 3:32:58 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86A2F37B401 for ; Mon, 24 Feb 2003 03:32:56 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A54343F85 for ; Mon, 24 Feb 2003 03:32:54 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) by smtp.infracaninophile.co.uk (8.12.7/8.12.7) with ESMTP id h1OBWm5U023529 for ; Mon, 24 Feb 2003 11:32:48 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.7/8.12.7/Submit) id h1OBWmVZ023528 for freebsd-questions@FreeBSD.ORG; Mon, 24 Feb 2003 11:32:48 GMT Date: Mon, 24 Feb 2003 11:32:48 +0000 From: Matthew Seaman To: freebsd-questions@FreeBSD.ORG Subject: Re: Changes in sshd? Message-ID: <20030224113248.GB22678@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@FreeBSD.ORG References: <000001c2db9b$08b52be0$1916c60a@win2k.clickcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000001c2db9b$08b52be0$1916c60a@win2k.clickcom.com> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-2.7 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_03_05, USER_AGENT,USER_AGENT_MUTT version=2.44 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Feb 23, 2003 at 07:23:57PM -0500, John Straiton wrote: > Greets, > I have many times set up the authorized_keys so that remote > ssh/scp/rsync clients can connect between machines without a password. > However, in attempting to do this again using a 5.0-RELEASE machine > trying to connect to a 4.7 machine, I'm getting nothing but: > > %ssh 192.168.0.23 > Host key verification failed. > > This was all working last week, then I reinstalled my 4.X machine to > this 5.0 and went through the routine to recreate an identity.pub and > copy it to the remote machine. Now it just won't work. My guess is that when you did your re-install you didn't backup and restore the host keys for your machine. That means that all of the accounts on systems you've been connecting to will have the old host keys in the ${HOME}/.ssh/known_hosts files. That leads the ssh servers on those machines to believe that your newly installed 5.0 server is actually some sort of impostor, hence they refuse access. The fix is easy, if tedious: edit all of the known_hosts files and delete the lines referencing that particular server, either by name or by IP number. The known_hosts data will be rebuilt as people connect to and fro during their normal usage, although it may cause automated jobs to fail untill you can pre-load the known_hosts with the right stuff. See ssh-keyscan(1) for away of doing that. > I noticed that ssh-keygen worked slightly differently in 5.0 ..Did > something change with it's default behavior that I need to take into > account in order to talk to a 4.7 machine? Yes --- that's due to the import of OpenSSH 3.x into the tree, which supports the SSHv2 protocol and some new key types. I notice above that you're talking about 'identity.pub' which indicates you're probably using the old RSA1 key type and hence the SSHv1 protocol. If you can, you would be well advised to switch to SSHv2 which is rather more secure, and supported pretty much everywhere now. It seems that the best key type to use is RSA which implies default key file names of 'id_rsa' and 'id_rsa.pub'. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message