Date: Thu, 20 Dec 2001 10:31:02 -0700 (MST) From: FreeBSD user <freebsd@XtremeDev.com> To: Will Walsh <wwalsh@qa.zixtest.com> Cc: questions@freebsd.org Subject: Re: OpenSSH problem Message-ID: <20011220102150.Q60544-100000@Amber.XtremeDev.com> In-Reply-To: <20011220075653.65a5e95e.wwalsh@qa.zixtest.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I started with a clean system and clean account (no ~/.ssh). I finally
resolved this issue last night, apparently I needed to generate a protocol
2 keypair for my host. The default key generation code in /etc/rc.network:
if [ ! -f /etc/ssh/ssh_host_key ]; then
echo ' creating ssh RSA host key';
/usr/bin/ssh-keygen -N "" -f /etc/ssh/ssh_host_key
if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
echo ' creating ssh DSA host key';
/usr/bin/ssh-keygen -d -N "" -f /etc/ssh/ssh_host_dsa_key
doesn't generate protocol v2 pairs. I fixed it by running:
ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_key
ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key
(From the man page, ssh-keygen defaults to rsa1 -- or protocol v1 rsa
key -- for key generation. Which is what's throwing up fits when I try to
ssh with -2 flag. Hopefully this will help someone else if they should run
into the same problem. Out of curiosity, why isn't v2 the default? From
what I gathered on pentest lists, v1 has some fundamental security issues
that were addressed in v2. I suppse v1 should be the default by mere fact
it's the most widely used.. But geez, can't we help move v2 in?
On Thu, 20 Dec 2001, Will Walsh wrote:
> It appears to me that your SSH client is not accepting the server's key. Have you checked ~/.ssh/known_hosts to see if you already have an entry for localhost (127.0.0.1). If you do you should delete it and answer "yes" to the warning prompt at your next login attempt. This is usually due to there already being a key in the known_hosts file that does not match the current key of the server.
>
> Cheers,
> Will
>
> On Wed, 19 Dec 2001 10:49:46 -0700 (MST)
> FreeBSD user <freebsd@XtremeDev.com> wrote:
>
> > I cannot ssh in to my OpenSSH server (FreeBSD 4.4-STABLE):
> >
> > The command I use is:
> > ssh -v -2 -c aes256-cbc -m hmac-sha1 localhost
> >
> > Th cipher and mac selection doesn't matter. I get the same result whatever
> > I choose (or don't choose). Debug output follow:
> >
> > ~> ssh -v -2 -c aes256-cbc -m hmac-sha1 localhost
> > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL
> > 0x0090601f
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug1: Rhosts Authentication disabled, originating port will not be
> > trusted.
> > debug1: restore_uid
> > debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
> > debug1: Connecting to localhost [127.0.0.1] port 22.
> > debug1: temporarily_use_uid: 1001/1001 (e=1001)
> > debug1: restore_uid
> > debug1: temporarily_use_uid: 1001/1001 (e=1001)
> > debug1: restore_uid
> > debug1: Connection established.
> > debug1: identity file /home/dave/.ssh/id_rsa type -1
> > debug1: identity file /home/dave/.ssh/id_dsa type -1
> > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9
> > FreeBSD localisations 20011202
> > debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH
> > Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations
> > 20011202
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: server->client aes256-cbc hmac-sha1 none
> > debug1: kex: client->server aes256-cbc hmac-sha1 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug1: dh_gen_key: priv key bits set: 273/512
> > debug1: bits set: 992/2049
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug1: Forcing accepting of host key for loopback/localhost.
> > debug1: bits set: 1021/2049
> > debug1: len 55 datafellows 0
> > debug1: ssh_dss_verify: signature incorrect
> > key_verify failed for server_host_key
> > debug1: Calling cleanup 0x805b140(0x0)
> >
> >
> > I keep getting key_verify failed for server_host_key. Does anyone know
> > what I should be looking? Has anyone run into a similar problem, or am I
> > alone in this? Is there a better mailing list or email more appropriate
> > for this email? Thanks in advance.
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011220102150.Q60544-100000>