[Bug 1592] New: Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Apr 27 07:30:24 EST 2009
https://bugzilla.mindrot.org/show_bug.cgi?id=1592
Summary: Fingerprints for SSHD host key don't match (local
ssh-keygen -l vs. ssh localhost)
Product: Portable OpenSSH
Version: 5.1p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: doerges at pre-sense.de
Created an attachment (id=1628)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1628)
All files needed to set up test case
Problem:
I've come across two host key pairs which do not work correctly:
- ssh-keygen -l -f key_A gives fingerprint fp_A
- ssh'ing to an sshd using key_A as host key givs fingerprint fp_B
- fp_B != fp_A (actually the ssh client receives a different host
key)
The problem occurs with OpenSSH 5.1p (both openSUSE 11.1 and Knoppix
6.1 (Debian based)) and OpenSSH 4.6p1 (openSUSE 10.3).
It's not an MITM. I could reproduce the behavior booting from a clean
live Linux CD, ssh'ing to localhost without any other network
connections available.
I'm not entirely sure, but I'm guessing the keys were generated with
OpenSSH 4.6p1.
Expected behavior:
fp_B == fp_A
or
If the keys are somehow broken, SSHD should tell the user about it.
Reproduce:
The keys in question are in the attachment:
ssh-prob/ssh_host_rsa_key
ssh-prob/ssh_host_dsa_key.pub
ssh-prob/ssh_host_dsa_key
ssh-prob/ssh_host_rsa_key.pub
1.) Unpack prob.tar.gz
2.) Start testcase.sh
Example:
$ ./testcase.sh
testcase.sh: Setting up test case in '/tmp/tmp.jxjR9LsMNh' ...
DONE
testcase.sh: Fingerprint for host key is:
1024 37:66:7b:99:ea:09:9a:1d:7e:09:3a:90:3e:d0:86:9b
/tmp/tmp.jxjR9LsMNh/ssh_host_rsa_key.pub (RSA)
testcase.sh: Please compare with fingerprint given from 'ssh -p 55555
localhost'
testcase.sh: Starting SSHD ...
debug1: sshd version OpenSSH_5.1p1
[...]
$ ssh -p 55555 localhost
The authenticity of host '[localhost]:55555 ([127.0.0.1]:55555)' can't
be established.
RSA key fingerprint is 6a:ef:32:f1:63:c1:db:d2:81:e6:4b:f7:e8:ec:01:4a.
Are you sure you want to continue connecting (yes/no)?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list