From nobody@FreeBSD.org  Thu Aug  5 19:58:15 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 28836106567C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Aug 2010 19:58:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 15D168FC16
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  5 Aug 2010 19:58:15 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o75JwEuf091070
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 5 Aug 2010 19:58:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o75JwETt091069;
	Thu, 5 Aug 2010 19:58:14 GMT
	(envelope-from nobody)
Message-Id: <201008051958.o75JwETt091069@www.freebsd.org>
Date: Thu, 5 Aug 2010 19:58:14 GMT
From: "Mikhail T." <mi@aldan.algebra.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sshd silently switches to RSA in 8.x and 9.x [patch for mergemaster]
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         149343
>Category:       conf
>Synopsis:       [patch] mergemaster(8): sshd silently switches to RSA in 8.x and 9.x
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 05 20:00:20 UTC 2010
>Closed-Date:    Thu Aug 05 21:08:40 UTC 2010
>Last-Modified:  Thu Aug 05 21:08:40 UTC 2010
>Originator:     Mikhail T.
>Release:        FreeBSD 8.1-PRERELEASE amd64
>Organization:
Virtual Estates, Inc. http://sybpipe.com/
>Environment:
FreeBSD aldan.narawntapu 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #0: Mon Jul 5 00:51:57 EDT 2010 root@aldan.narawntapu:/meow/obj/var/src/sys/SILVER-SMP amd64
>Description:
Unlike in earlier versions, in 8.x (and 9.x) sshd uses RSA hostkeys instead of DSA by default. Buffling as it may be to regular users, according to des: "It had to happen. There is nothing to resolve. Move along."

Unsatisfying words, for when an existing installation is upgraded, this point is very easy to miss, because the UPDATING-entry on the subject is 2 years old. Unfortunately, this may be troublesome to those, who use automated ssh-based
jobs, as those jobs would now hang.  Interactive ssh-connections would prompt the user to accept the new (RSA-based) host-keys, as just happened on freefall, for example.

For the old behavior (using DSA) to continue, the DSA HostKey must now be specified explicitly. This is something, mergemaster can do -- in some cases...

>How-To-Repeat:
Upgrade from 7.x to 8.x. Try to ssh into the upgraded system. Witness the warning about new host key (along with warning, that the key of a different type is already known for that host).

>Fix:
This patch is the best I can come up with my limited knowledge of mergemaster. It does not catch all cases -- such as when the only differences are in RCS-tags and the -F is used...


Patch attached with submission follows:

Index: mergemaster.sh
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mergemaster/mergemaster.sh,v
retrieving revision 1.72.2.6
diff -U 2 -r1.72.2.6 mergemaster.sh
--- mergemaster.sh	20 May 2010 22:12:36 -0000	1.72.2.6
+++ mergemaster.sh	5 Aug 2010 18:22:18 -0000
@@ -860,4 +860,53 @@
       DONT_INSTALL=yes
       ;;
+    /etc/ssh/sshd_config)
+	# If some HostKey is already explicitly set, we don't worry
+	if grep ^HostKey "$COMPFILE"
+	then
+		do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}"
+		return
+	fi
+	fmt << EOWARNING
+***	Note, when upgrading to 8.x. For many years FreeBSD's sshd
+	installations used DSA-keys by default. The 8.x branch reverts
+	to the vendor's behavior of using RSA by default. This may
+	cause connecting clients to stall with the "new host key"
+	warnings. To continue to use DSA, ${1#.} has to explictly
+	set HostKey to point to your DSA-key file.
+
+EOWARNING
+	if [ `egrep -c '^#HostKey\s*.*_dsa_key$' $COMPFILE` != 1 ]
+	then
+		fmt << EOWARNING
+	Unfortunately, the $COMPFILE is more complex then what can be
+	automatically fixed by this script.
+
+EOWARNING
+		do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}"
+		return
+	fi
+	cat << EOMENU
+	Use 'f' to try to automatically fix ${1#.} before installing
+	Use 'i' to just install it as is.
+        Default is to leave the temporary file to deal with by hand
+
+EOMENU
+	read -p "  How should I handle ${COMPFILE}? [Leave it to install later] " \
+		HANDLE_HOST_KEY
+
+        case "$HANDLE_HOST_KEY" in
+	[fF]*)
+		sed -i"" -e 's|#\(HostKey\s*.*_dsa_key.*\)|\1|' $COMPFILE
+		;;
+	[iI]*)
+		;;
+	default)
+		echo "   *** ${COMPFILE} will remain for your consideration"
+		return
+		;;
+	esac
+	do_install_and_rm "${FILE_MODE}" "${1}" "${DESTDIR}${INSTALL_DIR}"
+	return
+	;;
     /.cshrc | /.profile)
       local st_nlink


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dougb 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Aug 5 20:52:57 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=149343 
State-Changed-From-To: open->closed 
State-Changed-By: dougb 
State-Changed-When: Thu Aug 5 21:03:47 UTC 2010 
State-Changed-Why:  

I sympathize with your situation, but I try really hard to avoid adding 
knowledge about specific files to mergemaster. Also, this ship sailed 
back when 8.0 was released, so I don't really see the point of adding this 
now.  

http://www.freebsd.org/cgi/query-pr.cgi?pr=149343 
>Unformatted:
