[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#626864: openssh-client: false claims of "something nasty" when using -o HostKeyAlgorithms

Package: openssh-client
Version: 1:5.8p1-4
Severity: normal

In the below transcript I think that I should not have seen a "something 
nasty"
warning, a message about the authenticity can't be established would be more
appropriate.  If the server had refused ECDSA then it would be a different
situation (could be a MITM attack), but when I specifically request a 
different
algorithm it shouldn't give me a warning about that.

root@unstable:~/.ssh# rm known_hosts 
root@unstable:~/.ssh# ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is ca:8d:82:e1:b8:37:f1:48:f6:70:6b:0f:0f:32:59:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
root@localhost's password: 

root@unstable:~/.ssh# ssh -o HostKeyAlgorithms=ssh-rsa localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
38:4e:96:90:9b:fe:1a:b2:b2:11:c3:a4:50:cf:f9:6d.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser              3.112+nmu2          add and remove users and groups
ii  debconf [debconf-2.0 1.5.39              Debian configuration management 
sy
ii  dpkg                 1.16.0.3            Debian package management system
ii  libc6                2.13-4              Embedded GNU C Library: Shared 
lib
ii  libedit2             2.11-20080614-2     BSD editline and history 
libraries
ii  libgssapi-krb5-2     1.9+dfsg-1+b1       MIT Kerberos runtime libraries - 
k
ii  libselinux1          2.0.98-1+b1         SELinux runtime shared libraries
ii  libssl1.0.0          1.0.0d-2            SSL shared libraries
ii  passwd               1:4.1.4.2+svn3283-3 change and administer password 
and
ii  zlib1g               1:1.2.3.4.dfsg-3    compression library - runtime

Versions of packages openssh-client recommends:
ii  openssh-blacklist             0.4.1      list of default blacklisted 
OpenSS
pn  openssh-blacklist-extra       <none>     (no description available)
pn  xauth                         <none>     (no description available)

Versions of packages openssh-client suggests:
pn  keychain                      <none>     (no description available)
pn  libpam-ssh                    <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information
Reply to: