On Tue, Dec 20, 2016 at 6:24 PM, Glyph Lefkowitz <glyph@twistedmatrix.com> wrote:So... is this because buildbot.twistedmatrix.com has an RSA key as well, and when it offers it, our checking isn't correctly comparing the type before deciding that it doesn't match, or allowing for multiple keys? I notice that if I manually add the RSA key and delete the ECDSA key it seems to work.-gYes, that is part of it.What is happening is that the conch client sends a MSG_KEXINITpacket to the server to negotatiate what the host key should be.If I use an OpenSSH ssh client to connect to OpenSSH sshd server,the negotiated host key algorithm is ecdsa-sha2-nistp256.If I use a conch client to connect to the OpenSSH sshd server,the negotiated host key algorithm is ssh-rsa.I started a test instance of the sshd server with:/usr/sbin/sshd -p 9000 -d -d -dand captured the logs (see attached).I think some problems are:(1) conch proposes a list of host key algorithms in a different order thanOpenSSH. It shouldn't matter, but conch proposes ssh-rsa first,while OpenSSH proposes it last.(2) OpenSSH client seems to be able to receive multiple host keys backfrom the server, and can match the one it has.
--Craig