From f499b43cffb855f09b426c7eaa3bcea849700a87 Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Mon, 20 Feb 2017 15:48:19 -0500 Subject: Transport: prefer ecdsa server host keys over rsa openssh client seems to prefer ecdsa server host keys (even over ssh-ed25519) --- paramiko/transport.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/paramiko/transport.py b/paramiko/transport.py index 5ab24980..a308e0c9 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -122,9 +122,12 @@ class Transport (threading.Thread, ClosingContextManager): 'hmac-sha1', ) _preferred_keys = ( + 'ecdsa-sha2-nistp256', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp521', 'ssh-rsa', 'ssh-dss', - ) + tuple(ECDSAKey.supported_key_format_identifiers()) + ) _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1', -- cgit v1.2.3 From 691f6191601366255d55176bcdb103987626cc86 Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Mon, 5 Jun 2017 19:59:28 -0700 Subject: Changelog closes #911, closes #900 --- sites/www/changelog.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index db2043cf..f8b3d328 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,11 @@ Changelog ========= +* :bug:`900` (via :issue:`911`) Prefer newer ``ecdsa-sha2-nistp`` keys over RSA + and DSA keys during host key selection. This improves compatibility with + OpenSSH, both in terms of general behavior, and also re: ability to properly + leverage OpenSSH-modified ``known_hosts`` files. Credit: ``@kasdoe`` for + original report/PR and Pierce Lopez for the second draft. * :bug:`794` (via :issue:`981`) Prior support for ``ecdsa-sha2-nistp(384|521)`` algorithms didn't fully extend to covering host keys, preventing connection to hosts which only offer these key types and no others. This is now fixed. -- cgit v1.2.3