mhw at wittsend
Nov 15, 1999, 8:23 AM
Post #3 of 4
Never mind... Solved the problem myself...
Re: Upgrading from ssh to openssh (1.2pre12)... Solved...
[In reply to]
On Mon, Nov 15, 1999 at 10:55:30AM -0500, Michael H. Warfield wrote:
> Hello all,
> I've just tried my first attempt at migrating from ssh (1.2.27)
> to openssh. I got 1.2pre12 to compile and install from the source RPM's.
> Just ran into one royal pain of a problem. Sshd won't start! It doesn't
> seem to like my old host keys.
> I get the following error in syslog:
> Nov 15 10:45:38 alcove sshd: fatal: cipher_set_key: unknown cipher: 1
Problem was that the host key was encrypted with idea (old method)
and idea isn't supported at this time in openssh.
> Now... What's wrong and how do I fix it? The logistics of blowing
> away everybodies ssh_known_hosts files for hosts and individuals makes
> regening keys impractical. Potentially, the number of hosts which would
> end up with new host keys are several dozen. The number of individuals
> who would have the subsequent "host keys has changed" error inflicted
> upon them could be several hundred.
The key in question was pre 1.2.8 (yes, I've worked with ssh
back that far - that's why you find me listed in the README.Ylonen
file in "ACKNOWLEDGEMENTS"). I just had to run the OLD ssh-keygen
with the -u option to update the key from idea encryption to 3des
encryption. Fortunately, the old ssh-keygen program was still sitting
in /usr/local/bin and hadn't been clobbered when I installed from the
The old key was working fine with ssh 1.2.27 because it
had idea support compiled in, even though all new keys since 1.2.8
were encrypted with 3des.
> I couldn't find anything in any of the readme files regarding
> migration problems or solutions.
You might want to note this little "gotcha" in the README files.
The rpm upgrade prep process should also probably check for ssh_* and
sshd_* files in /etc/ instead of /etc/ssh/ to help ease the upgrade pain.
The new ssh-keygen also can not upgrade the keys because it also
does not support idea! If you experience the misfortune of blowing away
the old ssh-keygen program, you will have to go back to ssh-1.2.27 and
rebuild an ssh-keygen binary from that in order to upgrade the key. Would
it be too much to ask or too much of a patent violation to add the ability
to decrypt the old files for purposes of upgrading? No encryption, just
decrypt idea in ssh-keygen would be nice. That could, at least, avoid the
catch-22 with really old keys.
Now I just have to write a magic script to run around running
"ssh-keygen -u" for the host keys on all my servers, before begining
the openssh upgrade process. Sigh... User identity files are going
to be another matter, but I don't think that there are too many of them
that predate 1.2.8, fortunately... :-)
> Michael H. Warfield | (770) 985-6132 | mhw [at] WittsEnd
> (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Michael H. Warfield | (770) 985-6132 | mhw [at] WittsEnd
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!