As talked with a OpenBSD developer, would be interesting if we could tell people to fix ~/.ssh/known_hosts for using ECDSA instead of RSA keys if possible as it's the current default (since 5.7 if I am not wrong) and is faster. Currently, I have simply removed by ~/.ssh/known_hosts to use new keys on servers supporting them. Thanks a lot :-) Reproducible: Always
I would prefer not to simply tell users to remove the known_hosts... there is a reason why it's there and why the keys are not updated by default.
we can add an elog about updating their known_hosts, but that's about it. one problem with ECDSA though is that it is disabled in openssl for bindists due to patent issues ... so those server/clients wont have it.
I am fine with that solution, thanks
(In reply to comment #2) > we can add an elog about updating their known_hosts, but that's about it. maybe some pointer to ssh-keyscan(1) should be in that elog: one will find a practical example there: +- | Find all hosts from the file ssh_hosts which have | new or different keys from those in the sorted file ssh_known_hosts: | $ ssh-keyscan -t x509v3-sign-rsa,x509v3-sign-dss,rsa,dsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 -f ssh_hosts | \ | sort -u - ssh_known_hosts | diff ssh_known_hosts - +-
http://sources.gentoo.org/net-misc/openssh/openssh-5.8_p1-r1.ebuild?r1=1.4&r2=1.5
Thanks!
