I have some old 6.x FreeBSD systems that need their OpenSSH upgraded.
Everything goes just fine, but when I am done, existing clients are now presented with this message:
WARNING: DSA key found for host hostname in /root/.ssh/known_hosts:12 DSA key fingerprint 4c:29:4b:6e:b8:6b:fa:49.......
The authenticity of host 'hostname (10.1.2.3)' can't be established but keys of different type are already known for this host. RSA key fingerprint is a3:22:3d:cf:f2:46:09:f2...... Are you sure you want to continue connecting (yes/no)
And as you can imagine, existing automated jobs now all fail.
I have no control over the clients. Assume the clients cannot be touched at all.
So, the good news is, this appears to have been discussed/documented here:
... but I'm afraid that changing that line in myproposal.h BACK TO ssh-dss,ssh-rsa does not solve the problem. I did indeed make that change to myproposal.h, manually, and then build the openssh-portable port, but the behavior persists.
If I simply REMOVE the RSA keys, the error goes away, and existing DSA-using clients no longer bomb out, but this is NOT a good solution for two reasons:
1. anytime I HUP, or start sshd, it's going to create new RSA keys for me
2. It's possible that some clients out there really have been using RSA all along (who knows) and now they are completely broken, since RSA is not there at all.
I'm more than happy to muck around in the source with further little edits, just like I did with myproposal.h, but I have no idea what they would be.
Can anyone help me "make new ssh behave like old one" ?