Re: SSH issues with 4.9 stable (key_verify failed for server_host_key)

• Previous message: Lawrence Farr: "RE: Latest snapshot 4.9 STABLE"
• In reply to: Daren Desjardins: "SSH issues with 4.9 stable (key_verify failed for server_host_key)"
• Next in thread: Daren Desjardins: "Re: SSH issues with 4.9 stable (key_verify failed for server_host_key)"
• Reply: Daren Desjardins: "Re: SSH issues with 4.9 stable (key_verify failed for server_host_key)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-stable@freebsd.org
Date: Wed, 31 Mar 2004 10:26:35 -0500

Found a fix and it is posted at freebsdforums.

http://www.freebsdforums.org/forums/showthread.php?s=&postid=114234#post114234

The basic answer appears to be that the host is defaulting to ssh1 keys
and client wants ssh2 keys.

For FreeBSD, you can edit /etc/sshd_config and change the host key
section to look like this:
 
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 
 The ssh_host_key defaults to a rsa1 key instead of 2. So you can simple
comment it out to turn v1 off.
 
 You can also edit /etc/rc.network and search for sshd. You will see
where it regenerates the ssh keys if they are missing. If you change the
ssh_host_key to be generated using rsa2 it also solves the problem.
 

On Tue, 2004-03-30 at 14:23, Daren Desjardins wrote:
> I upgraded to 4.9 stable from 4.9 release and now have difficulty
> connecting via ssh to hosts. The error I get is:
>
> key_verify failed for server_host_key
>
>
> If I modify the sshd_config for the server I am connecting to and change
> to the following, it works:
>
>
> Protocol 2
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
>
>
> ssh verbose dump:
>
> [daren@lithium daren]$ssh -v puff
> OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to puff [x.x.x.x] port 22.
> debug1: Connection established.
> debug1: identity file /home/daren/.ssh/identity type -1
> debug1: identity file /home/daren/.ssh/id_rsa type 1
> debug1: identity file /home/daren/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 Free BSD-20030924
> debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'puff' is known and matches the DSA host key.
> debug1: Found key in /home/daren/.ssh/known_hosts:8
> debug1: ssh_dss_verify: signature incorrect
> key_verify failed for server_host_key
> [daren@lithium daren]$
>
>
>
> I did try removing the known_hosts entry, but it had no effect:
>
> [daren@lithium .ssh]$mv known_hosts known_hosts.bak
> [daren@lithium .ssh]$ssh -v puff
> OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to puff [x.x.x.x] port 22.
> debug1: Connection established.
> debug1: identity file /home/daren/.ssh/identity type -1
> debug1: identity file /home/daren/.ssh/id_rsa type 1
> debug1: identity file /home/daren/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 Free BSD-20030924
> debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> The authenticity of host 'puff (x.x.x.x)' can't be established.
> DSA key fingerprint is f0:b5:90:fd:92:0d:4a:b6:87:13:45:63:72:a1:49:aa.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'puff,x.x.x.x' (DSA) to the list of known
> hosts.
> debug1: ssh_dss_verify: signature incorrect
> key_verify failed for server_host_key
> [daren@lithium .ssh]$
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

• Previous message: Lawrence Farr: "RE: Latest snapshot 4.9 STABLE"
• In reply to: Daren Desjardins: "SSH issues with 4.9 stable (key_verify failed for server_host_key)"
• Next in thread: Daren Desjardins: "Re: SSH issues with 4.9 stable (key_verify failed for server_host_key)"
• Reply: Daren Desjardins: "Re: SSH issues with 4.9 stable (key_verify failed for server_host_key)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]