openssh unix dev - Mar 2001 - Openssh-2.5.1p1 and Solaris 2.6 problem with ssh_rsa_verify

We recently upgraded from an older version of SSH to OpenSSH
2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f)
and are having problems on just a few hosts in our environment. The 
other 200 systems are working fine. Every once in a blue-moon it will
connect with version 2.

When I try to connect to or from one of these hosts using SSH2 I
get the following error (I have sshd -d -d -d and ssh -2 -v -v -v 
output if that helps):

dhaag at cyberpup> ssh -2 waltst2
ssh_rsa_verify: RSA_verify failed: error:04077068:rsa
routines:RSA_verify:bad signature
key_verify failed for server_host_key

Here's what I have done so far:
-recompiled on the suspect box, no change.
-compiled 2.5.2p2 on suspect box with no change.
-don't see any network errors (netstat -i).
-egd seems to be working fine, I can read and write bits with
egc.pl.
-tried changing and disabling some of the protocols with no
change.
-regenerated the host keys more than once (note: this takes much
longer on this system than the working ones)

The system is a Sun Ultra-2 running Solaris 2.6 (uname -a: SunOS
cyberpup 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-2). But it 
works fine on other Ultra-2's with the same OS and patch level.

Configure params: --prefix=/local/solaris_2.6/openssh2.5.1p1
--with-tcp-wrappers --without-shadow
--with-xauth=/usr/openwin/bin/xauth
--with-ipv4-default --with-ssl-dir=/local/solaris_2.6/openssl0.9.6
--sysconfdir=/etc/ssh --with-egd-pool=/dev/random/entropy
--x-includes=/usr/openwin/include --x-libraries=/usr/openwin/lib

I am trying to schedule a reboot of the affected system to see if
that makes any difference. My gut still tells me that I have an entropy
problem, but I don't know a good test for that.

Any help appreciated.

-- 
Dennis Haag                            
haag at apple.com                         
408-974-6630

On Mon, Mar 26, 2001 at 10:33:37AM -0800, Dennis Haag
wrote:
> We recently upgraded from an older version of SSH to OpenSSH
> 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f)
> and are having problems on just a few hosts in our environment. The 
> other 200 systems are working fine. Every once in a blue-moon it will
> connect with version 2.
> 
> When I try to connect to or from one of these hosts using SSH2 I
> get the following error (I have sshd -d -d -d and ssh -2 -v -v -v 
> output if that helps):
are you connecting with openssh protocol v2 or with ssh.com's SSH2?

are you running openbsd? netbsd? bsd/os? solaris?

-m

Dennis Haag wrote:
> 
> We recently upgraded from an older version of SSH to OpenSSH
> 2.5.1p1 (OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f)
> and are having problems on just a few hosts in our environment. The
> other 200 systems are working fine. Every once in a blue-moon it will
> connect with version 2.
> 
> When I try to connect to or from one of these hosts using SSH2 I
> get the following error (I have sshd -d -d -d and ssh -2 -v -v -v
> output if that helps):
> 
> dhaag at cyberpup> ssh -2 waltst2
> ssh_rsa_verify: RSA_verify failed: error:04077068:rsa
> routines:RSA_verify:bad signature
> key_verify failed for server_host_key
> 
> Here's what I have done so far:
> -recompiled on the suspect box, no change.
> -compiled 2.5.2p2 on suspect box with no change.
> -don't see any network errors (netstat -i).
> -egd seems to be working fine, I can read and write bits with
> egc.pl.
> -tried changing and disabling some of the protocols with no
> change.
> -regenerated the host keys more than once (note: this takes much
> longer on this system than the working ones)
> 
> The system is a Sun Ultra-2 running Solaris 2.6 (uname -a: SunOS
> cyberpup 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-2). But it
> works fine on other Ultra-2's with the same OS and patch level.
> 
> Configure params: --prefix=/local/solaris_2.6/openssh2.5.1p1
> --with-tcp-wrappers --without-shadow
> --with-xauth=/usr/openwin/bin/xauth
> --with-ipv4-default --with-ssl-dir=/local/solaris_2.6/openssl0.9.6
> --sysconfdir=/etc/ssh --with-egd-pool=/dev/random/entropy
> --x-includes=/usr/openwin/include --x-libraries=/usr/openwin/lib
> 
> I am trying to schedule a reboot of the affected system to see if
> that makes any difference. My gut still tells me that I have an entropy
> problem, but I don't know a good test for that.
> 
> Any help appreciated.
> 
> --
> Dennis Haag
> haag at apple.com
> 408-974-6630
I have installed prngd instead of egd on the system and it seems that I can
connect more frequently, but about 75% of the time I'm getting one of the
following two errors:

ssh_rsa_verify: RSA_verify failed: error:04077068:rsa
routines:RSA_verify:bad signature
key_verify failed for server_host_key

ssh_rsa_verify: RSA_verify failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
key_verify failed for server_host_key

Can any of you more experienced ssh folks clue me into at least what these
error messages mean?

I also started getting some errors connecting via SSH1:

dhaag at cyberpup> ssh -1 ming
rsa_private_decrypt() failed
Disconnecting: respond_to_rsa_challenge: rsa_private_decrypt failed

This is on Solaris 2.6 with OpenSSH 2.5.1p1 and 2.5.2p2

Thanks,

Dennis