[Bug 1592] New: Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon Apr 27 07:30:24 EST 2009 

https://bugzilla.mindrot.org/show_bug.cgi?id=1592

           Summary: Fingerprints for SSHD host key don't match (local
                    ssh-keygen -l  vs.  ssh localhost)
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: doerges at pre-sense.de


Created an attachment (id=1628)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1628)
All files needed to set up test case

Problem:

I've come across two host key pairs which do not work correctly:

 -  ssh-keygen -l -f key_A   gives fingerprint fp_A
 -  ssh'ing to an sshd using key_A as host key givs fingerprint fp_B
 -  fp_B != fp_A (actually the ssh client receives a different host
key)

The problem occurs with OpenSSH 5.1p (both openSUSE 11.1 and Knoppix
6.1 (Debian based)) and OpenSSH 4.6p1 (openSUSE 10.3).

It's not an MITM. I could reproduce the behavior booting from a clean
live Linux CD, ssh'ing to localhost without any other network
connections available.

I'm not entirely sure, but I'm guessing the keys were generated with
OpenSSH 4.6p1.


Expected behavior:

fp_B == fp_A

or

If the keys are somehow broken, SSHD should tell the user about it.


Reproduce:

The keys in question are in the attachment:
ssh-prob/ssh_host_rsa_key
ssh-prob/ssh_host_dsa_key.pub

ssh-prob/ssh_host_dsa_key
ssh-prob/ssh_host_rsa_key.pub

1.)  Unpack prob.tar.gz
2.)  Start testcase.sh


Example:

$  ./testcase.sh
testcase.sh: Setting up test case in '/tmp/tmp.jxjR9LsMNh' ...         
DONE


testcase.sh: Fingerprint for host key is:
1024 37:66:7b:99:ea:09:9a:1d:7e:09:3a:90:3e:d0:86:9b
/tmp/tmp.jxjR9LsMNh/ssh_host_rsa_key.pub (RSA)


testcase.sh: Please compare with fingerprint given from 'ssh -p 55555
localhost'


testcase.sh: Starting SSHD ...
debug1: sshd version OpenSSH_5.1p1
[...]


$ ssh -p 55555 localhost
The authenticity of host '[localhost]:55555 ([127.0.0.1]:55555)' can't
be established.
RSA key fingerprint is 6a:ef:32:f1:63:c1:db:d2:81:e6:4b:f7:e8:ec:01:4a.
Are you sure you want to continue connecting (yes/no)?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list