SSH issues with 4.9 stable (key_verify failed for
server_host_key)
Daren Desjardins
desjardins at canada.com
Wed Mar 31 07:26:33 PST 2004
Found a fix and it is posted at freebsdforums.
http://www.freebsdforums.org/forums/showthread.php?s=&postid=114234#post114234
The basic answer appears to be that the host is defaulting to ssh1 keys
and client wants ssh2 keys.
For FreeBSD, you can edit /etc/sshd_config and change the host key
section to look like this:
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
The ssh_host_key defaults to a rsa1 key instead of 2. So you can simple
comment it out to turn v1 off.
You can also edit /etc/rc.network and search for sshd. You will see
where it regenerates the ssh keys if they are missing. If you change the
ssh_host_key to be generated using rsa2 it also solves the problem.
On Tue, 2004-03-30 at 14:23, Daren Desjardins wrote:
> I upgraded to 4.9 stable from 4.9 release and now have difficulty
> connecting via ssh to hosts. The error I get is:
>
> key_verify failed for server_host_key
>
>
> If I modify the sshd_config for the server I am connecting to and change
> to the following, it works:
>
>
> Protocol 2
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
>
>
> ssh verbose dump:
>
> [daren at lithium daren]$ssh -v puff
> OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to puff [x.x.x.x] port 22.
> debug1: Connection established.
> debug1: identity file /home/daren/.ssh/identity type -1
> debug1: identity file /home/daren/.ssh/id_rsa type 1
> debug1: identity file /home/daren/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 Free BSD-20030924
> debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'puff' is known and matches the DSA host key.
> debug1: Found key in /home/daren/.ssh/known_hosts:8
> debug1: ssh_dss_verify: signature incorrect
> key_verify failed for server_host_key
> [daren at lithium daren]$
>
>
>
> I did try removing the known_hosts entry, but it had no effect:
>
> [daren at lithium .ssh]$mv known_hosts known_hosts.bak
> [daren at lithium .ssh]$ssh -v puff
> OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to puff [x.x.x.x] port 22.
> debug1: Connection established.
> debug1: identity file /home/daren/.ssh/identity type -1
> debug1: identity file /home/daren/.ssh/id_rsa type 1
> debug1: identity file /home/daren/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 Free BSD-20030924
> debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> The authenticity of host 'puff (x.x.x.x)' can't be established.
> DSA key fingerprint is f0:b5:90:fd:92:0d:4a:b6:87:13:45:63:72:a1:49:aa.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'puff,x.x.x.x' (DSA) to the list of known
> hosts.
> debug1: ssh_dss_verify: signature incorrect
> key_verify failed for server_host_key
> [daren at lithium .ssh]$
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable
mailing list