Date: Wed, 31 Mar 2004 10:26:35 -0500 From: Daren Desjardins <desjardins@canada.com> To: freebsd-stable@freebsd.org Subject: Re: SSH issues with 4.9 stable (key_verify failed for server_host_key) Message-ID: <1080746795.43045.1.camel@lithium.stabilia.com> In-Reply-To: <1080674620.72899.3.camel@lithium.stabilia.com> References: <1080674620.72899.3.camel@lithium.stabilia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Found a fix and it is posted at freebsdforums. http://www.freebsdforums.org/forums/showthread.php?s=&postid=114234#post114234 The basic answer appears to be that the host is defaulting to ssh1 keys and client wants ssh2 keys. For FreeBSD, you can edit /etc/sshd_config and change the host key section to look like this: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key The ssh_host_key defaults to a rsa1 key instead of 2. So you can simple comment it out to turn v1 off. You can also edit /etc/rc.network and search for sshd. You will see where it regenerates the ssh keys if they are missing. If you change the ssh_host_key to be generated using rsa2 it also solves the problem. On Tue, 2004-03-30 at 14:23, Daren Desjardins wrote: > I upgraded to 4.9 stable from 4.9 release and now have difficulty > connecting via ssh to hosts. The error I get is: > > key_verify failed for server_host_key > > > If I modify the sshd_config for the server I am connecting to and change > to the following, it works: > > > Protocol 2 > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > > > ssh verbose dump: > > [daren@lithium daren]$ssh -v puff > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to puff [x.x.x.x] port 22. > debug1: Connection established. > debug1: identity file /home/daren/.ssh/identity type -1 > debug1: identity file /home/daren/.ssh/id_rsa type 1 > debug1: identity file /home/daren/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.5p1 Free BSD-20030924 > debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.8p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'puff' is known and matches the DSA host key. > debug1: Found key in /home/daren/.ssh/known_hosts:8 > debug1: ssh_dss_verify: signature incorrect > key_verify failed for server_host_key > [daren@lithium daren]$ > > > > I did try removing the known_hosts entry, but it had no effect: > > [daren@lithium .ssh]$mv known_hosts known_hosts.bak > [daren@lithium .ssh]$ssh -v puff > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to puff [x.x.x.x] port 22. > debug1: Connection established. > debug1: identity file /home/daren/.ssh/identity type -1 > debug1: identity file /home/daren/.ssh/id_rsa type 1 > debug1: identity file /home/daren/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.5p1 Free BSD-20030924 > debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.8p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > The authenticity of host 'puff (x.x.x.x)' can't be established. > DSA key fingerprint is f0:b5:90:fd:92:0d:4a:b6:87:13:45:63:72:a1:49:aa. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added 'puff,x.x.x.x' (DSA) to the list of known > hosts. > debug1: ssh_dss_verify: signature incorrect > key_verify failed for server_host_key > [daren@lithium .ssh]$ > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1080746795.43045.1.camel>