Frank Cusack wrote:
It's been a while since I went over this, but I believe the reason you can't do this is:Is there a security issue with turning an RSA1 key into an RSA key? One might want to do this, e.g., to move to protocol 2 without having to update authorized_keys files. I thought there was a problem with this, but Google doesn't find anything. thanks /fc _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev%mindrot.org@localhost http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
SSHv1 uses RSA keys for encryption -- I send you data encrypted with your pubkey, you send it back to me decrypted. SSHv2 uses RSA keys for verification -- I send you data, you send it back to me signed, I test to see if the data was signed correctly.
There are potential attacks involving the use of one mode against the other. They're not as simple as what I once thought they were; i.e. the private key for decrypting is the public key for verifying -- but I think it was a problem nonetheless.
That being said, there really needs to be a mode to check all known host key types for one that matches. This is a _real_ security requirement, people! If we checked the SSHv1 key before accepting a new SSHv2 key, we'd be _alot_ better off for the migrators.
--Dan