IBM Support

OA61535: REMOTE HOST IDENTIFICATION HAS CHANGED may occur after enabling DSA support for host keys

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • z/OS OpenSSH clients may encounter the message:
FOTS1317 WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED
on z/OS OpenSSH 2.4 (OpenSSH 7.6p1) after enabling
client support for deprecated DSA (ssh-dss) host keys.



The DSA host key support for clients can be enabled by modifying
the system-wide ssh_config file and including keyword:
HostKeyAlgorithms=+ssh-dss

or specifying this keyword in the per-user configuration file
($HOME/.ssh/config) or on the command line with invocation flag:
-oHostKeyAlgorithms=+ssh-dss


After enabling DSA host key support for the z/OS clients (ssh,
scp, sftp) the FOTS1317 condition may arise if the remote
server has additional non-DSA host keys available for use.



ANALYSIS:
The ssh-dss algorithm (DSA) was removed from the
HostKeyAlgorithms list in OpenSSH 2.4 (openSSH 7.6).  Adding it
back via the HostKeyAlgorithms keyword with "+ssh-dss" option
may still fail as the DSA support is restored as the lowest
priority option, and when the HostKeyAlgorithms keyword is
specified, the client is required to use the higher priority
keys if they are available.  Without the keyword, the priority
is given to existing keys in the client's known_hosts (or system
ssh_known_hosts) files.


KNOWN IMPACT:
The problem surfaces if DSA host key support is enabled with the
HostKeyAlgorithms keyword, and the server offers non-DSA host
keys and StrictHostKeyChecking is not set to "no".


VERIFICATION STEPS:
1.  Must be running z/OS OpenSSH 2.4 (OpenSSH 7.6p1).
2.  Must have StrictHostKeyChecking set to a value other than
    "no".
3.  Must enable the use of DSA host keys, and the remote server
    offers keys other than DSA which are not in the user's
    known_hosts file.

Local fix

  • BYPASS/CIRCUMVENTION:
If possible do one of the following:

1. Specify HostKeyAlgorithms=ssh-dss
   This method will explicitly use only DSA host keys.


2. Change the order of the host key algorithms in the client
   configurations.  This requires an explict and complete list
   of the desired algorithms in the HostKeyAlgorithms keyword.
   Refer to the OpenSSH User Guide for the default list.

3. Use ssh-keyscan to add the higher priority host key into the
   user's known_host file.

4. Remove the DSA host key for the remote server from the
   user's known_hosts file and connect interactively to the
   remote system to where the user will be prompted to
   automatically add the server's non-DSA key to the
   known_hosts file.





KEYWORDs:
5655M2301
msgFOTS1317

Problem summary

  • ****************************************************************
* USERS AFFECTED: z/OS users of IBM z/OS V2R4 OpenSSH.         *
****************************************************************
* PROBLEM DESCRIPTION: The existing host key in the            *
*                      known_hosts file is not chosen, instead *
*                      an attempt is made to use a             *
*                      non-existent host key, which will fail. *
****************************************************************
The order of the appended host key algorithms which is specified
by the HostkeyAlgorithms=+ option will be at the end of
the host key algorithms list without scanning the known_host
file to reorder the host key algorithms list.

Problem conclusion

  • When using HostkeyAlgorithms to merely append or remove
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...).
Program retains the default behavior of preferring the
algorithms that have existing keys in known_hosts.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA61535
    • 

  • Reported component name
    OPENSSH FOR Z/O
    • 

  • Reported component ID
    5655M2301
    • 

  • Reported release
    240
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-06-03
    • 

  • Closed date
    2021-06-28
    • 

  • Last modified date
    2021-08-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UJ05922
    

    • 



Modules/Macros


    

  • FOTSXSSH

    



Fix information


    

  • Fixed component name
    OPENSSH FOR Z/O
    • 

  • Fixed component ID
    5655M2301
    • 



Applicable component levels


    

  • R240  PSY  UJ05922
       UP21/07/21  P  F107
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG19O"},"Platform":[{"code":"PF054","label":"z\/OS"}],"Version":"240"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 August 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback