diff --git a/src/pkg/exp/ssh/client_auth_test.go b/src/pkg/exp/ssh/client_auth_test.go
index 4ef9213a9c..2b89e9728c 100644
--- a/src/pkg/exp/ssh/client_auth_test.go
+++ b/src/pkg/exp/ssh/client_auth_test.go
@@ -7,17 +7,20 @@ package ssh
 import (
 	"bytes"
 	"crypto"
-	"crypto/rand"
+	"crypto/dsa"
 	"crypto/rsa"
+	_ "crypto/sha1"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"io"
 	"io/ioutil"
+	"math/big"
 	"testing"
 )
 
-const _pem = `-----BEGIN RSA PRIVATE KEY-----
+// private key for mock server
+const testServerPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
 MIIEpAIBAAKCAQEA19lGVsTqIT5iiNYRgnoY1CwkbETW5cq+Rzk5v/kTlf31XpSU
 70HVWkbTERECjaYdXM2gGcbb+sxpq6GtXf1M3kVomycqhxwhPv4Cr6Xp4WT/jkFx
 9z+FFzpeodGJWjOH6L2H5uX1Cvr9EDdQp9t9/J32/qBFntY8GwoUI/y/1MSTmMiF
@@ -45,25 +48,32 @@ gqnBycHj6AhEycjda75cs+0zybZvN4x65KZHOGW/O/7OAWEcZP5TPb3zf9ned3Hl
 NsZoFj52ponUM6+99A2CmezFCN16c4mbA//luWF+k3VVqR6BpkrhKw==
 -----END RSA PRIVATE KEY-----`
 
-// reused internally by tests
-var serverConfig = new(ServerConfig)
-
-func init() {
-	if err := serverConfig.SetRSAPrivateKey([]byte(_pem)); err != nil {
-		panic("unable to set private key: " + err.Error())
-	}
-}
+const testClientPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBALdGZxkXDAjsYk10ihwU6Id2KeILz1TAJuoq4tOgDWxEEGeTrcld
+r/ZwVaFzjWzxaf6zQIJbfaSEAhqD5yo72+sCAwEAAQJBAK8PEVU23Wj8mV0QjwcJ
+tZ4GcTUYQL7cF4+ezTCE9a1NrGnCP2RuQkHEKxuTVrxXt+6OF15/1/fuXnxKjmJC
+nxkCIQDaXvPPBi0c7vAxGwNY9726x01/dNbHCE0CBtcotobxpwIhANbbQbh3JHVW
+2haQh4fAG5mhesZKAGcxTyv4mQ7uMSQdAiAj+4dzMpJWdSzQ+qGHlHMIBvVHLkqB
+y2VdEyF7DPCZewIhAI7GOI/6LDIFOvtPo6Bj2nNmyQ1HU6k/LRtNIXi4c9NJAiAr
+rrxx26itVhJmcvoUhOjwuzSlP2bE5VHAvkGB352YBg==
+-----END RSA PRIVATE KEY-----`
 
 // keychain implements the ClientPublickey interface
 type keychain struct {
-	keys []*rsa.PrivateKey
+	keys []interface{}
 }
 
 func (k *keychain) Key(i int) (interface{}, error) {
 	if i < 0 || i >= len(k.keys) {
 		return nil, nil
 	}
-	return k.keys[i].PublicKey, nil
+	switch key := k.keys[i].(type) {
+	case *rsa.PrivateKey:
+		return key.PublicKey, nil
+	case *dsa.PrivateKey:
+		return key.PublicKey, nil
+	}
+	panic("unknown key type")
 }
 
 func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err error) {
@@ -71,7 +81,11 @@ func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err err
 	h := hashFunc.New()
 	h.Write(data)
 	digest := h.Sum(nil)
-	return rsa.SignPKCS1v15(rand, k.keys[i], hashFunc, digest)
+	switch key := k.keys[i].(type) {
+	case *rsa.PrivateKey:
+		return rsa.SignPKCS1v15(rand, key, hashFunc, digest)
+	}
+	return nil, errors.New("unknown key type")
 }
 
 func (k *keychain) loadPEM(file string) error {
@@ -91,61 +105,6 @@ func (k *keychain) loadPEM(file string) error {
 	return nil
 }
 
-var pkey *rsa.PrivateKey
-
-func init() {
-	var err error
-	pkey, err = rsa.GenerateKey(rand.Reader, 512)
-	if err != nil {
-		panic("unable to generate public key")
-	}
-}
-
-func TestClientAuthPublickey(t *testing.T) {
-	k := new(keychain)
-	k.keys = append(k.keys, pkey)
-
-	serverConfig.PubKeyCallback = func(user, algo string, pubkey []byte) bool {
-		expected := []byte(serializePublickey(k.keys[0].PublicKey))
-		algoname := algoName(k.keys[0].PublicKey)
-		return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
-	}
-	serverConfig.PasswordCallback = nil
-
-	l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
-	if err != nil {
-		t.Fatalf("unable to listen: %s", err)
-	}
-	defer l.Close()
-
-	done := make(chan bool, 1)
-	go func() {
-		c, err := l.Accept()
-		if err != nil {
-			t.Fatal(err)
-		}
-		defer c.Close()
-		if err := c.Handshake(); err != nil {
-			t.Error(err)
-		}
-		done <- true
-	}()
-
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []ClientAuth{
-			ClientAuthPublickey(k),
-		},
-	}
-
-	c, err := Dial("tcp", l.Addr().String(), config)
-	if err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-	defer c.Close()
-	<-done
-}
-
 // password implements the ClientPassword interface
 type password string
 
@@ -153,96 +112,146 @@ func (p password) Password(user string) (string, error) {
 	return string(p), nil
 }
 
-func TestClientAuthPassword(t *testing.T) {
-	pw := password("tiger")
-
-	serverConfig.PasswordCallback = func(user, pass string) bool {
-		return user == "testuser" && pass == string(pw)
+// reused internally by tests
+var (
+	rsakey         *rsa.PrivateKey
+	dsakey         *dsa.PrivateKey
+	clientKeychain = new(keychain)
+	clientPassword = password("tiger")
+	serverConfig   = &ServerConfig{
+		PasswordCallback: func(user, pass string) bool {
+			return user == "testuser" && pass == string(clientPassword)
+		},
+		PubKeyCallback: func(user, algo string, pubkey []byte) bool {
+			key := clientKeychain.keys[0].(*rsa.PrivateKey).PublicKey
+			expected := []byte(serializePublickey(key))
+			algoname := algoName(key)
+			return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
+		},
 	}
-	serverConfig.PubKeyCallback = nil
+)
 
+func init() {
+	if err := serverConfig.SetRSAPrivateKey([]byte(testServerPrivateKey)); err != nil {
+		panic("unable to set private key: " + err.Error())
+	}
+
+	block, _ := pem.Decode([]byte(testClientPrivateKey))
+	rsakey, _ = x509.ParsePKCS1PrivateKey(block.Bytes)
+
+	clientKeychain.keys = append(clientKeychain.keys, rsakey)
+	dsakey = new(dsa.PrivateKey)
+	// taken from crypto/dsa/dsa_test.go
+	dsakey.P, _ = new(big.Int).SetString("A9B5B793FB4785793D246BAE77E8FF63CA52F442DA763C440259919FE1BC1D6065A9350637A04F75A2F039401D49F08E066C4D275A5A65DA5684BC563C14289D7AB8A67163BFBF79D85972619AD2CFF55AB0EE77A9002B0EF96293BDD0F42685EBB2C66C327079F6C98000FBCB79AACDE1BC6F9D5C7B1A97E3D9D54ED7951FEF", 16)
+	dsakey.Q, _ = new(big.Int).SetString("E1D3391245933D68A0714ED34BBCB7A1F422B9C1", 16)
+	dsakey.G, _ = new(big.Int).SetString("634364FC25248933D01D1993ECABD0657CC0CB2CEED7ED2E3E8AECDFCDC4A25C3B15E9E3B163ACA2984B5539181F3EFF1A5E8903D71D5B95DA4F27202B77D2C44B430BB53741A8D59A8F86887525C9F2A6A5980A195EAA7F2FF910064301DEF89D3AA213E1FAC7768D89365318E370AF54A112EFBA9246D9158386BA1B4EEFDA", 16)
+	dsakey.Y, _ = new(big.Int).SetString("32969E5780CFE1C849A1C276D7AEB4F38A23B591739AA2FE197349AEEBD31366AEE5EB7E6C6DDB7C57D02432B30DB5AA66D9884299FAA72568944E4EEDC92EA3FBC6F39F53412FBCC563208F7C15B737AC8910DBC2D9C9B8C001E72FDC40EB694AB1F06A5A2DBD18D9E36C66F31F566742F11EC0A52E9F7B89355C02FB5D32D2", 16)
+	dsakey.X, _ = new(big.Int).SetString("5078D4D29795CBE76D3AACFE48C9AF0BCDBEE91A", 16)
+}
+
+// newMockAuthServer creates a new Server bound to 
+// the loopback interface. The server exits after 
+// processing one handshake.
+func newMockAuthServer(t *testing.T) string {
 	l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
 	if err != nil {
-		t.Fatalf("unable to listen: %s", err)
+		t.Fatalf("unable to newMockAuthServer: %s", err)
 	}
-	defer l.Close()
-
-	done := make(chan bool)
 	go func() {
+		defer l.Close()
 		c, err := l.Accept()
+		defer c.Close()
 		if err != nil {
-			t.Fatal(err)
+			t.Errorf("Unable to accept incoming connection: %v", err)
+			return
 		}
 		if err := c.Handshake(); err != nil {
-			t.Error(err)
+			// not Errorf because this is expected to
+			// fail for some tests.
+			t.Logf("Handshaking error: %v", err)
+			return
 		}
-		defer c.Close()
-		done <- true
 	}()
+	return l.Addr().String()
+}
 
+func TestClientAuthPublickey(t *testing.T) {
 	config := &ClientConfig{
 		User: "testuser",
 		Auth: []ClientAuth{
-			ClientAuthPassword(pw),
+			ClientAuthPublickey(clientKeychain),
 		},
 	}
-
-	c, err := Dial("tcp", l.Addr().String(), config)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
 		t.Fatalf("unable to dial remote side: %s", err)
 	}
-	defer c.Close()
-	<-done
+	c.Close()
 }
 
-func TestClientAuthPasswordAndPublickey(t *testing.T) {
-	pw := password("tiger")
-
-	serverConfig.PasswordCallback = func(user, pass string) bool {
-		return user == "testuser" && pass == string(pw)
+func TestClientAuthPassword(t *testing.T) {
+	config := &ClientConfig{
+		User: "testuser",
+		Auth: []ClientAuth{
+			ClientAuthPassword(clientPassword),
+		},
 	}
 
-	k := new(keychain)
-	k.keys = append(k.keys, pkey)
-
-	serverConfig.PubKeyCallback = func(user, algo string, pubkey []byte) bool {
-		expected := []byte(serializePublickey(k.keys[0].PublicKey))
-		algoname := algoName(k.keys[0].PublicKey)
-		return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
-	}
-
-	l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
-		t.Fatalf("unable to listen: %s", err)
+		t.Fatalf("unable to dial remote side: %s", err)
 	}
-	defer l.Close()
-
-	done := make(chan bool)
-	go func() {
-		c, err := l.Accept()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if err := c.Handshake(); err != nil {
-			t.Error(err)
-		}
-		defer c.Close()
-		done <- true
-	}()
+	c.Close()
+}
 
+func TestClientAuthWrongPassword(t *testing.T) {
 	wrongPw := password("wrong")
 	config := &ClientConfig{
 		User: "testuser",
 		Auth: []ClientAuth{
 			ClientAuthPassword(wrongPw),
-			ClientAuthPublickey(k),
+			ClientAuthPublickey(clientKeychain),
 		},
 	}
 
-	c, err := Dial("tcp", l.Addr().String(), config)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
 		t.Fatalf("unable to dial remote side: %s", err)
 	}
-	defer c.Close()
-	<-done
+	c.Close()
+}
+
+// the mock server will only authenticate ssh-rsa keys
+func TestClientAuthInvalidPublickey(t *testing.T) {
+	kc := new(keychain)
+	kc.keys = append(kc.keys, dsakey)
+	config := &ClientConfig{
+		User: "testuser",
+		Auth: []ClientAuth{
+			ClientAuthPublickey(kc),
+		},
+	}
+
+	c, err := Dial("tcp", newMockAuthServer(t), config)
+	if err == nil {
+		c.Close()
+		t.Fatalf("dsa private key should not have authenticated with rsa public key")
+	}
+}
+
+// the client should authenticate with the second key
+func TestClientAuthRSAandDSA(t *testing.T) {
+	kc := new(keychain)
+	kc.keys = append(kc.keys, dsakey, rsakey)
+	config := &ClientConfig{
+		User: "testuser",
+		Auth: []ClientAuth{
+			ClientAuthPublickey(kc),
+		},
+	}
+	c, err := Dial("tcp", newMockAuthServer(t), config)
+	if err != nil {
+		t.Fatalf("client could not authenticate with rsa key: %v", err)
+	}
+	c.Close()
 }
diff --git a/src/pkg/exp/ssh/common_test.go b/src/pkg/exp/ssh/common_test.go
index 2f4448a1bd..058fb04fe1 100644
--- a/src/pkg/exp/ssh/common_test.go
+++ b/src/pkg/exp/ssh/common_test.go
@@ -8,15 +8,15 @@ import (
 	"testing"
 )
 
-var strings = map[string]string{
-	"\x20\x0d\x0a":  "\x20\x0d\x0a",
-	"flibble":       "flibble",
-	"new\x20line":   "new\x20line",
-	"123456\x07789": "123456 789",
-	"\t\t\x10\r\n":  "\t\t \r\n",
-}
-
 func TestSafeString(t *testing.T) {
+	strings := map[string]string{
+		"\x20\x0d\x0a":  "\x20\x0d\x0a",
+		"flibble":       "flibble",
+		"new\x20line":   "new\x20line",
+		"123456\x07789": "123456 789",
+		"\t\t\x10\r\n":  "\t\t \r\n",
+	}
+
 	for s, expected := range strings {
 		actual := safeString(s)
 		if expected != actual {