IBM Support

OA61535: REMOTE HOST IDENTIFICATION HAS CHANGED may occur after enabling DSA support for host keys

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • z/OS OpenSSH clients may encounter the message:
    FOTS1317 WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED
    on z/OS OpenSSH 2.4 (OpenSSH 7.6p1) after enabling
    client support for deprecated DSA (ssh-dss) host keys.
    
    
    
    The DSA host key support for clients can be enabled by modifying
    the system-wide ssh_config file and including keyword:
    HostKeyAlgorithms=+ssh-dss
    
    or specifying this keyword in the per-user configuration file
    ($HOME/.ssh/config) or on the command line with invocation flag:
    -oHostKeyAlgorithms=+ssh-dss
    
    
    After enabling DSA host key support for the z/OS clients (ssh,
    scp, sftp) the FOTS1317 condition may arise if the remote
    server has additional non-DSA host keys available for use.
    
    
    
    ANALYSIS:
    The ssh-dss algorithm (DSA) was removed from the
    HostKeyAlgorithms list in OpenSSH 2.4 (openSSH 7.6).  Adding it
    back via the HostKeyAlgorithms keyword with "+ssh-dss" option
    may still fail as the DSA support is restored as the lowest
    priority option, and when the HostKeyAlgorithms keyword is
    specified, the client is required to use the higher priority
    keys if they are available.  Without the keyword, the priority
    is given to existing keys in the client's known_hosts (or system
    ssh_known_hosts) files.
    
    
    KNOWN IMPACT:
    The problem surfaces if DSA host key support is enabled with the
    HostKeyAlgorithms keyword, and the server offers non-DSA host
    keys and StrictHostKeyChecking is not set to "no".
    
    
    VERIFICATION STEPS:
    1.  Must be running z/OS OpenSSH 2.4 (OpenSSH 7.6p1).
    2.  Must have StrictHostKeyChecking set to a value other than
        "no".
    3.  Must enable the use of DSA host keys, and the remote server
        offers keys other than DSA which are not in the user's
        known_hosts file.
    

Local fix

  • BYPASS/CIRCUMVENTION:
    If possible do one of the following:
    
    1. Specify HostKeyAlgorithms=ssh-dss
       This method will explicitly use only DSA host keys.
    
    
    2. Change the order of the host key algorithms in the client
       configurations.  This requires an explict and complete list
       of the desired algorithms in the HostKeyAlgorithms keyword.
       Refer to the OpenSSH User Guide for the default list.
    
    3. Use ssh-keyscan to add the higher priority host key into the
       user's known_host file.
    
    4. Remove the DSA host key for the remote server from the
       user's known_hosts file and connect interactively to the
       remote system to where the user will be prompted to
       automatically add the server's non-DSA key to the
       known_hosts file.
    
    
    
    
    
    KEYWORDs:
    5655M2301
    msgFOTS1317
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: z/OS users of IBM z/OS V2R4 OpenSSH.         *
    ****************************************************************
    * PROBLEM DESCRIPTION: The existing host key in the            *
    *                      known_hosts file is not chosen, instead *
    *                      an attempt is made to use a             *
    *                      non-existent host key, which will fail. *
    ****************************************************************
    The order of the appended host key algorithms which is specified
    by the HostkeyAlgorithms=+ option will be at the end of
    the host key algorithms list without scanning the known_host
    file to reorder the host key algorithms list.
    

Problem conclusion

  • When using HostkeyAlgorithms to merely append or remove
    algorithms from the default set (i.e. HostkeyAlgorithms=+/-...).
    Program retains the default behavior of preferring the
    algorithms that have existing keys in known_hosts.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA61535

  • Reported component name

    OPENSSH FOR Z/O

  • Reported component ID

    5655M2301

  • Reported release

    240

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-06-03

  • Closed date

    2021-06-28

  • Last modified date

    2021-08-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UJ05922

Modules/Macros

  • FOTSXSSH
    

Fix information

  • Fixed component name

    OPENSSH FOR Z/O

  • Fixed component ID

    5655M2301

Applicable component levels

  • R240 PSY UJ05922

       UP21/07/21 P F107

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"240"}]

Document Information

Modified date:
03 August 2021