From owner-freebsd-stable@FreeBSD.ORG Wed Mar 31 07:26:33 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E58816A4CF for ; Wed, 31 Mar 2004 07:26:33 -0800 (PST) Received: from fep02-mail.bloor.is.net.cable.rogers.com (fep02-mail.bloor.is.net.cable.rogers.com [66.185.86.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E6D243D2D for ; Wed, 31 Mar 2004 07:26:32 -0800 (PST) (envelope-from desjardins@canada.com) Received: from gateway.lan.daren.ca ([65.49.123.132]) by fep02-mail.bloor.is.net.cable.rogers.comESMTP <20040331152521.WMDQ39251.fep02-mail.bloor.is.net.cable.rogers.com@gateway.lan.daren.ca> for ; Wed, 31 Mar 2004 10:25:21 -0500 Received: from [216.130.212.41] (account daren@daren.ca HELO [216.130.212.41]) by gateway.lan.daren.ca (CommuniGate Pro SMTP 4.1.8) with ESMTP id 220771 for freebsd-stable@freebsd.org; Wed, 31 Mar 2004 10:26:30 -0500 From: Daren Desjardins To: freebsd-stable@freebsd.org In-Reply-To: <1080674620.72899.3.camel@lithium.stabilia.com> References: <1080674620.72899.3.camel@lithium.stabilia.com> Content-Type: text/plain Message-Id: <1080746795.43045.1.camel@lithium.stabilia.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 31 Mar 2004 10:26:35 -0500 Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH LOGIN at fep02-mail.bloor.is.net.cable.rogers.com from [65.49.123.132] using ID at Wed, 31 Mar 2004 10:25:21 -0500 Subject: Re: SSH issues with 4.9 stable (key_verify failed for server_host_key) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 15:26:33 -0000 Found a fix and it is posted at freebsdforums. http://www.freebsdforums.org/forums/showthread.php?s=&postid=114234#post114234 The basic answer appears to be that the host is defaulting to ssh1 keys and client wants ssh2 keys. For FreeBSD, you can edit /etc/sshd_config and change the host key section to look like this: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key The ssh_host_key defaults to a rsa1 key instead of 2. So you can simple comment it out to turn v1 off. You can also edit /etc/rc.network and search for sshd. You will see where it regenerates the ssh keys if they are missing. If you change the ssh_host_key to be generated using rsa2 it also solves the problem. On Tue, 2004-03-30 at 14:23, Daren Desjardins wrote: > I upgraded to 4.9 stable from 4.9 release and now have difficulty > connecting via ssh to hosts. The error I get is: > > key_verify failed for server_host_key > > > If I modify the sshd_config for the server I am connecting to and change > to the following, it works: > > > Protocol 2 > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > > > ssh verbose dump: > > [daren@lithium daren]$ssh -v puff > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to puff [x.x.x.x] port 22. > debug1: Connection established. > debug1: identity file /home/daren/.ssh/identity type -1 > debug1: identity file /home/daren/.ssh/id_rsa type 1 > debug1: identity file /home/daren/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.5p1 Free BSD-20030924 > debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.8p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'puff' is known and matches the DSA host key. > debug1: Found key in /home/daren/.ssh/known_hosts:8 > debug1: ssh_dss_verify: signature incorrect > key_verify failed for server_host_key > [daren@lithium daren]$ > > > > I did try removing the known_hosts entry, but it had no effect: > > [daren@lithium .ssh]$mv known_hosts known_hosts.bak > [daren@lithium .ssh]$ssh -v puff > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to puff [x.x.x.x] port 22. > debug1: Connection established. > debug1: identity file /home/daren/.ssh/identity type -1 > debug1: identity file /home/daren/.ssh/id_rsa type 1 > debug1: identity file /home/daren/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.5p1 Free BSD-20030924 > debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.8p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > The authenticity of host 'puff (x.x.x.x)' can't be established. > DSA key fingerprint is f0:b5:90:fd:92:0d:4a:b6:87:13:45:63:72:a1:49:aa. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added 'puff,x.x.x.x' (DSA) to the list of known > hosts. > debug1: ssh_dss_verify: signature incorrect > key_verify failed for server_host_key > [daren@lithium .ssh]$ > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"