[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lftp: can no longer connect with sftp (no matching host key type found)

On 2015-12-08 20:33:27 -0800, Russ Allbery wrote:
> I think Colin is still working on making sure this change is visible
> enough to everyone it affects, but see the changelog in openssh-client:
>     - Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
>       default at run-time.  These may be re-enabled using the instructions
>       at http://www.openssh.com/legacy.html

I actually saw this page after googling the error message (not very
easy because with lftp, the error message disappears very quickly,
the part about ssh-dss isn't even visible with a 80-column terminal).

This should have been put at least in the NEWS.Debian file.

> It sounds like the remote host to which you're trying to connect only
> offers ssh-dss keys, which are no longer supported by default (following
> upstream) because they're not very secure.

This from is a SSH server for Android (and the user doesn't seem
to have a choice for the type of the host key).

> This is unrelated to host key checking or IP checking.  It's about the
> type of underlying crypto being used to secure the connection.

According to what is documented, this appears to be related to
host key checking: the error mesage is "no matching *host key*
type found" and the option name is HostKeyAlgorithms. In what
way it could be insecure in the case where the user doesn't have
the key in the ~/.ssh/known_hosts file?

Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: