openssh bugs - Aug 2016 - [Bug 2605] New: ssh-keyscan generates errors in /var/log/secure

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

            Bug ID: 2605
           Summary: ssh-keyscan generates errors in /var/log/secure
           Product: Portable OpenSSH
           Version: 6.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keyscan
          Assignee: unassigned-bugs at mindrot.org
          Reporter: horsley1953 at gmail.com

On my host system (centos 7) which has
openssh-clients-6.4p1-8.el7.x86_64, if I run ssh-keyscan <target>,
where the target system is fedora 24 with openssh-7.2p2-12.fc24.x86_64,
then the /var/log/secure file on the target system gets this message:

Aug 18 07:45:29 tomh sshd[17626]: fatal: Unable to negotiate with
10.134.30.124 port 36367: no matching host key type found. Their offer:
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]

It clutters up the log something fierce since I have automated tests
running all the time and verifying host keys with ssh-keyscan before
trying to ssh into the system.

It is also mysterious as heck, since the ssh-keyscan does in fact work,
and subsequent ssh commands work, so it looks like something failed,
sends me on a wild goose chase trying to find out what failed, and
eventually leads me here to record this as a bug just in case it really
is a bug (which I'm not sure of at all).

Any simple way to stop these log messages?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
The severity of this message was changed in 7.2.  You could either
upgrade or backport the patch:

https://anongit.mindrot.org/openssh.git/commit/?id=af1f084857621f14bd9391aba8033d35886c2455

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
For Fedora 24, I have repo with the latest openssh version packaged:

https://copr.fedoraproject.org/coprs/jjelen/openssh-latest/

It should solve your issue, as pointed out by Darren (note that it was
openssh-7.3, which changed the severity).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

--- Comment #3 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Tom Horsley from comment #0)
> It clutters up the log something fierce since I have automated tests
> running all the time and verifying host keys with ssh-keyscan before
> trying to ssh into the system.
What value are you getting from  "verifying host keys with ssh-keyscan
before trying to ssh" ?  ssh verifies host keys itself.

(In reply to Jakub Jelen from comment #2)
> It should solve your issue, as pointed out by Darren (note that it
> was openssh-7.3, which changed the severity).
Oops, right it was 7.3 not 7.2.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

--- Comment #4 from Tom Horsley <horsley1953 at gmail.com> ---
(In reply to Darren Tucker from comment #3)
> What value are you getting from  "verifying host keys with
> ssh-keyscan before trying to ssh" ?  ssh verifies host keys itself.
I meant that I make sure they are valid by setting the host key (so
systems that have been regenned and have new host keys don't bring the
automated scripts to a screeching halt wanting the answers to silly
questions :-).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |FIXED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
This is already fixed in openssh-7.3

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2605

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.