ECDSA, SSHFP, and "Error calculating host key fingerprint."

Matthew Roy matthew at royhousehold.net
Wed Jan 4 11:56:52 EST 2012


When connecting to a host that provides an ECDSA host key and the
client has "VerifyHostKeyDNS" set to 'yes' or 'ask' SSH outputs a
mysterious and undocumented message "Error calculating host key
fingerprint." This error actually seems to be generated by
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Key *hostkey, int *flags) in dns.c, but neither that fact nor the
reason for the error is mentioned in the manual. Is it possible to
refine the error message so it is more clear what's going on or to
punt and note it in the man pages?

This may become a moot issue when the currently proposed update to RFC
4255[1] gets approved and ECDSA SSHFP records are supported, but for
now it seems like something should provide the user a better
explanation of what's going on and assurance that all is in fact well.

Matthew Roy


[1] https://datatracker.ietf.org/doc/draft-os-ietf-sshfp-ecdsa-sha2/


More information about the openssh-unix-dev mailing list