DragonFly bugs List (threaded) for 2009-01
DragonFly BSD
DragonFly bugs List (threaded) for 2009-01
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: sshd appears to be broken when both host rsa and dsa key file present


From: Vincent Stemen <vince.dragonfly@xxxxxxxxxxx>
Date: Mon, 26 Jan 2009 08:46:08 -0600

On Sun, Jan 25, 2009 at 11:21:53PM -0800, Matthew Dillon wrote:
> 
> :> Seems like the import of openssh-5.1 reverted the order of the default
> :> hostkey algorithm proposal, which has been part of FreeBSD-local
> :> preferences for many years:
> :>   diff --git a/crypto/openssh-5/myproposal.h b/crypto/openssh-5/myproposal.h
> :>   index 8bdad7b..87a9e58 100644
> :>   --- a/crypto/openssh-5/myproposal.h
> :>   +++ b/crypto/openssh-5/myproposal.h
> :>   @@ -40,7 +40,7 @@
> :> 	  "diffie-hellman-group1-sha1"
> :>    #endif
> :>    
> :>   -#define KEX_DEFAULT_PK_ALG	"ssh-dss,ssh-rsa"
> :>   +#define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
> :>    #define	KEX_DEFAULT_ENCRYPT \
> :..
> :>   HostKeyAlgorithms	ssh-dsa,ssh-rsa
> :
> :This should read:
> :
> :   HostKeyAlgorithms	ssh-dss,ssh-rsa
> :
> :(-dss, not -dsa).
> :-- 
> :| Jeremy Chadwick                                jdc at parodius.com |
> 
>     That looks like a client-side solution, though, which doesn't
>     help fix the server-side defaults.
> 
>     Does changing KEX_DEFAULT_PK_ALG fix it on the server side?  If
>     so I think we may need to re-apply the local change.
> 
> 					-Matt
> 					Matthew Dillon 
> 					<dillon@backplane.com>

Would there really be any reason to change it back.  I assume they changed RSA
to being the default is because the patent is expired.  Also, according to my
notes,

    RSA is preferable in most cases, since DSA is slower
    and cannot encrypt in and of itself (DSA is a signing
    algorithm only).  RSA can be used to encrypt files.




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]