From nobody@www.freebsd.org  Mon May 27 19:33:37 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 6909737B408
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 May 2002 19:33:37 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g4S2XbhG084883
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 27 May 2002 19:33:37 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g4S2XboH084882;
	Mon, 27 May 2002 19:33:37 -0700 (PDT)
Message-Id: <200205280233.g4S2XboH084882@www.freebsd.org>
Date: Mon, 27 May 2002 19:33:37 -0700 (PDT)
From: Andrew.P.Lentvorski@www.freebsd.org, "Jr." <bsder@allcaps.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ssh doesn't fail over from protocol 1 to protocol 2
X-Send-Pr-Version: www-1.0

>Number:         38643
>Category:       bin
>Synopsis:       ssh doesn't fail over from protocol 1 to protocol 2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 27 19:40:02 PDT 2002
>Closed-Date:    Sun Jul 07 10:48:27 PDT 2002
>Last-Modified:  Sun Jul 07 10:48:27 PDT 2002
>Originator:     Andrew P. Lentvorski, Jr.
>Release:        4.5-RELEASE
>Organization:
>Environment:
FreeBSD taz.allcaps.org 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002     murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC  i386  
>Description:
When using dsa public keys to log into a remote system, ssh is supposed
to try using protocol 1 and then use protocol 2 if that fails.  In the
ssh_config file the relevant line is "Protocol 1,2"

However, the rollover never occurs and the login simply fails.		
>How-To-Repeat:
Default FreeBSD install.  Attempt to log into another machine with ssh
using only dsa public keys.  It will fail. 
>Fix:
Change the line "Protocol 1,2" to "Protocol 2,1" in the ssh_config file
or use -2 on the ssh command line.

However, it is unclear whether "Protocol 2,1" fixes the problem or whether
it just hides the problem by trying protocol 2 first and would fail
if someone attempted to use protocol 1 for public key login.
>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <crist.clark@attbi.com>
To: Andrew.P.Lentvorski@www.freebsd.org, "Jr." <bsder@allcaps.org>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/38643: ssh doesn't fail over from protocol 1 to protocol 2
Date: Sat, 1 Jun 2002 18:20:33 -0700

 On Mon, May 27, 2002 at 07:33:37PM -0700, Andrew.P.Lentvorski@www.freebsd.org wrote:
 [snip]
 
 > >Description:
 > When using dsa public keys to log into a remote system, ssh is supposed
 > to try using protocol 1 and then use protocol 2 if that fails.  In the
 > ssh_config file the relevant line is "Protocol 1,2"
 
 This is not how it works. During the initial negotations, server and
 client decide which protocol to use. Once they do, it is fixed, you
 cannot switch. If they decide to use version 2, and authentication
 fails, you are done. You do NOT start over with protocol 1.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: jon 
State-Changed-When: Sun Jul 7 10:39:41 PDT 2002 
State-Changed-Why:  

This is an issue with the design of the ssh protocol and cannot easily be fixed.  If this is important to you, try bringing it up with the openssh folks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38643 
>Unformatted:
