Bug#626864: openssh-client: false claims of "something nasty" when using -o HostKeyAlgorithms
Package: openssh-client
Version: 1:5.8p1-4
Severity: normal
In the below transcript I think that I should not have seen a "something
nasty"
warning, a message about the authenticity can't be established would be more
appropriate. If the server had refused ECDSA then it would be a different
situation (could be a MITM attack), but when I specifically request a
different
algorithm it shouldn't give me a warning about that.
root@unstable:~/.ssh# rm known_hosts
root@unstable:~/.ssh# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is ca:8d:82:e1:b8:37:f1:48:f6:70:6b:0f:0f:32:59:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
root@localhost's password:
root@unstable:~/.ssh# ssh -o HostKeyAlgorithms=ssh-rsa localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
38:4e:96:90:9b:fe:1a:b2:b2:11:c3:a4:50:cf:f9:6d.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-client depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0 1.5.39 Debian configuration management
sy
ii dpkg 1.16.0.3 Debian package management system
ii libc6 2.13-4 Embedded GNU C Library: Shared
lib
ii libedit2 2.11-20080614-2 BSD editline and history
libraries
ii libgssapi-krb5-2 1.9+dfsg-1+b1 MIT Kerberos runtime libraries -
k
ii libselinux1 2.0.98-1+b1 SELinux runtime shared libraries
ii libssl1.0.0 1.0.0d-2 SSL shared libraries
ii passwd 1:4.1.4.2+svn3283-3 change and administer password
and
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted
OpenSS
pn openssh-blacklist-extra <none> (no description available)
pn xauth <none> (no description available)
Versions of packages openssh-client suggests:
pn keychain <none> (no description available)
pn libpam-ssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- Configuration Files:
/etc/ssh/ssh_config changed [not included]
-- no debconf information
Reply to: