| Summary: | host authentication requires RSA1 keys | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Glenn Burkhardt <gbburkhardt> |
| Component: | Documentation | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> |
| Status: | CLOSED DUPLICATE | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 3.7p1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
*** This bug has been marked as a duplicate of 747 *** Mass change of RESOLVED bugs to CLOSED |
The documentation indicates that /etc/ssh/ssh_known_hosts can be built from entries in the per-user ~/.ssh/known_hosts file. However, the entry must have an RSA1 key; any other key type will not work. In the 'ssh' man page: "If the server machine does not have the client's host key in /etc/ssh/ssh_known_hosts, it can be stored in $HOME/.ssh/known_hosts. The easiest way to do this is to con- nect back to the client from the server machine using ssh; this will automatically add the host key to $HOME/.ssh/known_hosts." The key put in the user's known_hosts file is 'ssh-rsa', which will not work for host based authentication in /etc/ssh/ssh_known_hosts. In monitor.c, at about line 962 the type of the key passed to key_read() is fixed: case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); In addition, the host's IP address is required in the key definition in /etc/ssh/ssh_known_hosts; the symbolic host name won't work. Here's a workaround, that could be included in the documentation: Here's a workaround for the problem. Use ssh-keyscan -t rsa1 192.168.2.30 > ssh_known_hosts where the actual host's IP address should be substituted for "192.168.2.30".