Re: Re-using RSA1 keys as RSA

["Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>]

> That being said, there really needs to be a mode to check all known host 
> key types for one that matches.  This is a _real_ security requirement, 
> people!  If we checked the SSHv1 key before accepting a new SSHv2 key, 
> we'd be _alot_ better off for the migrators.

1) That's only really true if most people haven't already migrated.  I
think it's been a year since I was really making significant use of
sshv1; everything that really matters to me has already migrated to
sshv2.

2) That's only really true if you have a fix for the habit people
develop of reacting to the MitM attack warning by deleting the
relevant known_hosts entries.

(To some extent, there is also a sysadmin behavior problem; if I
remember correctly, the sysadmins of one machine I use decided six or
eight months ago to change the host key as a result of migrating to a
new machine, and didn't send pgp signed mail with the new key when I
asked.  They also broke my authorized_keys entry, such that I couldn't
even do a login that would prevent a man in the middle from forwarding
my login to the real machine.  But they didn't break my password.)

3) That said, having a mechanism to roll over sshv2 keys to other
sshv2 keys more cleanly may well be worth having.  I'm thinking
something where a client lists the keys it trusts, and if the server
has its old private keys, it can sign the session with an old host
key, and then use SSH_MSG_HOSTKEYS (once we have that defined; I have
a mostly written draft that I should submit real soon now) to send the
new host key.