ssh-client should always revoke ssh-dss keys not only when coming from the agent

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi!

when calling ssh-add on a dsa key i'm asked for passphrase and the key is perfectly accepted and listed by ssh-agent. A dsa key is also used by ssh-client when found in home directory and passphrase entered is correct. But a dsa key offered to ssh-client by ssh-agent is skipped as long as ssh-dss is not listed in PubkeyAcceptedKeyTypes.

debug1: Skipping ssh-dss key /home/XXXX/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/XXXX/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: Trying private key: /home/XXX/.ssh/id_dsa
Enter passphrase for key '/home/XXX/.ssh/id_dsa':
debug1: Authentication succeeded (publickey).

This results in a strange behavior to users.  You are asked for your passphrase by agent and again by ssh-client and nobody tells you that you should not use a dsa key anymore.
Shouldn't ssh client also reject dsa keys found in home as long as ssh-dss is not listed in PubkeyAccpetedKeyTypes or reject when trying to add keys to ssh-agent?

Regards,
Philipp Neuser


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux