one host only: ssh_dispatch_run_fatal
Darren Tucker
dtucker at zip.com.au
Tue Nov 8 13:53:05 AEDT 2016
On Tue, Nov 8, 2016 at 1:02 PM, Harry Putnam <reader at newsguy.com> wrote:
[...]
> gv harry> ssh -vv 2x
>
> OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j 26 Sep 2016
this is a third-party modified version of OpenSSH. Can you reproduce
the problem with a stock OpenSSH from the source from openssh.com?
> debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
OpenSSH 6.6 has a bug in curve25519-sha256 at libssh.org, which is the
kex method later selected.
Quoting the 6.7 release notes: https://www.openssh.com/releasenotes.html#6.7
"""
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve25519-sha256 at libssh.org KEX exchange method to fail
when connecting with something that implements the specification
correctly. OpenSSH 6.7 disables this KEX method when speaking to
one of the affected versions.
"""
> debug1: kex: host key algorithm: ssh-ed25519
[...]
> debug1: Found key in /home/harry/.ssh/known_hosts:2
> debug2: bits set: 4134/8192
> debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1
> ssh_dispatch_run_fatal: Connection to 192.168.1.42 port 22: incorrect signature
Maybe the same bug also affects ed25519 as a host key algorithm? If
so, setting HostKeyAlgorithms in ssh_config on the client to something
that doesn't include ssh-ed25519 might help.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list