Bug? between OpenSSH 6.4p1 and 6.5p1(also 6.6p1)

Damien Miller djm at mindrot.org
Thu Mar 27 11:31:33 EST 2014

On Wed, 26 Mar 2014, Pieter Bowman wrote:

> Here is the output of "ssh -vvv" from both ssh 6.4p1 and 6.6p1 talking
> to the same sshd (6.5p1) and using the same ssh-keysign (6.6p1).  I
> know I'm mixing things a bit, but the behavior is the same no matter
> which sshd is being used.  I replaced hostname, IP address and home
> directory paths.

Are you sure that the ssh-keysign is really OpenSSH 6.6p1's? The error
you are getting below is consistent with an old ssh-keysign choking
on a key type that it doesn't understand (e.g. Ed25519).

In any case, this patch to ssh-keysign might help us understand what
it happening:

diff --git ssh-keysign.c ssh-keysign.c
index 4b0996f..cf2cbfd 100644
--- ssh-keysign.c
+++ ssh-keysign.c
@@ -150,7 +150,7 @@ main(int argc, char **argv)
 	struct passwd *pw;
 	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
 	u_char *signature, *data;
-	char *host;
+	char *host, *fp;
 	u_int slen, dlen;
 	u_int32_t rnd[256];
@@ -236,8 +235,11 @@ main(int argc, char **argv)
-	if (!found)
-		fatal("no matching hostkey found");
+	if (!found) {
+		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		fatal("no matching hostkey found for key %s %s",
+		    key_type(key), fp);
+	}
 	if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
 		fatal("key_sign failed");

More information about the openssh-unix-dev mailing list