freebsd stable - Mar 2004 - SSH issues with 4.9 stable (key_verify failed for server_host_key)

I upgraded to 4.9 stable from 4.9 release and now have difficulty
connecting via ssh to hosts. The error I get is:
 
 key_verify failed for server_host_key
 
 
If I modify the sshd_config for the server I am connecting to and change
to the following, it works:
 
 
 Protocol 2
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 
 
 ssh verbose dump:
 
 [daren@lithium daren]$ssh -v puff
 OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: Connecting to puff [x.x.x.x] port 22.
 debug1: Connection established.
 debug1: identity file /home/daren/.ssh/identity type -1
 debug1: identity file /home/daren/.ssh/id_rsa type 1
 debug1: identity file /home/daren/.ssh/id_dsa type -1
 debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.5p1 Free BSD-20030924
 debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_3.8p1
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: server->client aes128-cbc hmac-md5 none
 debug1: kex: client->server aes128-cbc hmac-md5 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 debug1: Host 'puff' is known and matches the DSA host key.
 debug1: Found key in /home/daren/.ssh/known_hosts:8
 debug1: ssh_dss_verify: signature incorrect
 key_verify failed for server_host_key
 [daren@lithium daren]$



I did try removing the known_hosts entry, but it had no effect:

 [daren@lithium .ssh]$mv known_hosts known_hosts.bak
 [daren@lithium .ssh]$ssh -v puff
 OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: Connecting to puff [x.x.x.x] port 22.
 debug1: Connection established.
 debug1: identity file /home/daren/.ssh/identity type -1
 debug1: identity file /home/daren/.ssh/id_rsa type 1
 debug1: identity file /home/daren/.ssh/id_dsa type -1
 debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.5p1 Free BSD-20030924
 debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_3.8p1
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: server->client aes128-cbc hmac-md5 none
 debug1: kex: client->server aes128-cbc hmac-md5 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 The authenticity of host 'puff (x.x.x.x)' can't be established.
 DSA key fingerprint is f0:b5:90:fd:92:0d:4a:b6:87:13:45:63:72:a1:49:aa.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added 'puff,x.x.x.x' (DSA) to the list of known
hosts.
 debug1: ssh_dss_verify: signature incorrect
 key_verify failed for server_host_key
 [daren@lithium .ssh]$

Found a fix and it is posted at freebsdforums.

http://www.freebsdforums.org/forums/showthread.php?s=&postid=114234#post114234

The basic answer appears to be that the host is defaulting to ssh1 keys
and client wants ssh2 keys.

For FreeBSD, you can edit /etc/sshd_config and change the host key
section to look like this:
 
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 
 The ssh_host_key defaults to a rsa1 key instead of 2. So you can simple
comment it out to turn v1 off.
 
 You can also edit /etc/rc.network and search for sshd. You will see
where it regenerates the ssh keys if they are missing. If you change the
ssh_host_key to be generated using rsa2 it also solves the problem.
 

On Tue, 2004-03-30 at 14:23, Daren Desjardins wrote:
> I upgraded to 4.9 stable from 4.9 release and now have difficulty
> connecting via ssh to hosts. The error I get is:
>  
>  key_verify failed for server_host_key
>  
> 
> If I modify the sshd_config for the server I am connecting to and change
> to the following, it works:
>  
> 
>  Protocol 2
>  # HostKey for protocol version 1
>  #HostKey /etc/ssh/ssh_host_key
>  # HostKeys for protocol version 2
>  HostKey /etc/ssh/ssh_host_rsa_key
>  HostKey /etc/ssh/ssh_host_dsa_key
>  
> 
>  ssh verbose dump:
>  
>  [daren@lithium daren]$ssh -v puff
>  OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
>  debug1: Reading configuration data /etc/ssh/ssh_config
>  debug1: Connecting to puff [x.x.x.x] port 22.
>  debug1: Connection established.
>  debug1: identity file /home/daren/.ssh/identity type -1
>  debug1: identity file /home/daren/.ssh/id_rsa type 1
>  debug1: identity file /home/daren/.ssh/id_dsa type -1
>  debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 Free BSD-20030924
>  debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
>  debug1: Enabling compatibility mode for protocol 2.0
>  debug1: Local version string SSH-2.0-OpenSSH_3.8p1
>  debug1: SSH2_MSG_KEXINIT sent
>  debug1: SSH2_MSG_KEXINIT received
>  debug1: kex: server->client aes128-cbc hmac-md5 none
>  debug1: kex: client->server aes128-cbc hmac-md5 none
>  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>  debug1: Host 'puff' is known and matches the DSA host key.
>  debug1: Found key in /home/daren/.ssh/known_hosts:8
>  debug1: ssh_dss_verify: signature incorrect
>  key_verify failed for server_host_key
>  [daren@lithium daren]$
> 
> 
> 
> I did try removing the known_hosts entry, but it had no effect:
> 
>  [daren@lithium .ssh]$mv known_hosts known_hosts.bak
>  [daren@lithium .ssh]$ssh -v puff
>  OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c-p1 30 Sep 2003
>  debug1: Reading configuration data /etc/ssh/ssh_config
>  debug1: Connecting to puff [x.x.x.x] port 22.
>  debug1: Connection established.
>  debug1: identity file /home/daren/.ssh/identity type -1
>  debug1: identity file /home/daren/.ssh/id_rsa type 1
>  debug1: identity file /home/daren/.ssh/id_dsa type -1
>  debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 Free BSD-20030924
>  debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
>  debug1: Enabling compatibility mode for protocol 2.0
>  debug1: Local version string SSH-2.0-OpenSSH_3.8p1
>  debug1: SSH2_MSG_KEXINIT sent
>  debug1: SSH2_MSG_KEXINIT received
>  debug1: kex: server->client aes128-cbc hmac-md5 none
>  debug1: kex: client->server aes128-cbc hmac-md5 none
>  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>  The authenticity of host 'puff (x.x.x.x)' can't be
established.
>  DSA key fingerprint is f0:b5:90:fd:92:0d:4a:b6:87:13:45:63:72:a1:49:aa.
>  Are you sure you want to continue connecting (yes/no)? yes
>  Warning: Permanently added 'puff,x.x.x.x' (DSA) to the list of
known
> hosts.
>  debug1: ssh_dss_verify: signature incorrect
>  key_verify failed for server_host_key
>  [daren@lithium .ssh]$
> 
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"

desjardins@canada.com said:
>A friend also did an 4.9 release to 4.9stable upgrade and ran into the
>exact same [SSH] problem.
Odd.  We've been using SSH for years here to protect authentication 
information on lots of machines, and I've been using the FreeBSD STABLE 
version for just as long.  Two weeks ago, in response to a disk failure, I 
rebuilt FreeBSD from the 4.9 CD and cvsup upgraded (eventually) to the 
version as of 0800 GMT yesterday morning.
>The machine is using a default(empty) ssh_config and sshd_config. 
My guess is this is your problem.  SSH developers have changed defaults 
and even configuration element names frequently.  It is probable that the 
different versions you tried had different defaults, causing their 
different results.
>... the base system seems to force a DSA host key authentication, whereas
the
>port and openssh release use RSA ...
Why do you care?  Give your machine all three kinds of machine key 
(protocol 1.5, protocol 2.0 RSA, and protocol 2.0 DSA).  If you want to 
use public key authentication, give yourself all three types of personal 
key too.  That way, you are prepared for whatever slight misconfiguration 
there may be at the other end of your attempted connection.

For what it's worth, I've attached the ssh master config files I use.  
They are the starting point recommended by our Computer Security Group for 
other machines around here.  Their philosophy is that the SSH client only 
cares that the user's connection should be made successfully and that the 
SSH daemon is responsible for maintaining security.

They reflect ssh-agent being the parent of the user's session.  The 
fiddling in the client config file with whether or not to compress has to 
do with the fact compression shortens wall-clock time if you have to go 
over the Internet's comparitively slow links, instead of a LAN or a 
high-speed long haul link.  Cipher preferences were chosen for adequate 
security and highest speed.

I assure you that SSH from FreeBSD STABLE will work fine, if configured 
correctly.  Good luck.
-------------- next part --------------
# ssh_config system client configuration file for OpenSSH 3.5p1, FreeBSD 4.8
# $Id: ssh_config,v 1.1.1.1 2003/06/05 22:21:28 tweten Exp $

# Actual path names for files may need to be changed for specific
# hosts.  The names used in this file work under the operating system
# and version number listed on the top line of this file.

# OpenSSH developers change parameters fairly often.  It is not
# guaranteed that this configuration file will work with OpenSSH
# versions other than the one listed on the top line of this file.

# Each configuration value is defined for a given destination host by
# its first appearance across all configuration sources.  Parameters
# that are allowed to default are listed as comments for the ultimate
# wild-carded host.

# First come configuration blocks for specific hosts; ...

# ... then we have configuration blocks for wild-carded hosts, ...

  Host *.nasa.gov
    Compression no

  Host *.*
    Compression yes

# ... followed ultimately by the ultimate wild-carded host.

  Host *
#   AFSTokenPassing no
#   BatchMode no
#   BindAddress
#   ChallengeResponseAuthentication yes
    CheckHostIP yes
    Cipher blowfish
    Ciphers
arcfour,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
#   ClearAllForwardings no
#   Compression no
#   CompressionLevel 6
    ConnectionAttempts 3
#   DynamicForward
#   EscapeChar ~
    ForwardAgent yes
    ForwardX11 yes
#   GatewayPorts no
#   GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
    HostbasedAuthentication yes
#   HostKeyAlgorithms ssh-rsa,ssh-dss
#   HostKeyAlias
#   HostName
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/identity
#   KeepAlive yes
#   KerberosAuthentication no
#   KerberosTgtPassing no
#   LocalForward
#   LogLevel INFO
    MACs hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160
#   NoHostAuthenticationForLocalhost no
#   NumberOfPasswordPrompts 3
#   PasswordAuthentication yes
#   Port 22
    PreferredAuthentications publickey,hostbased,password,keyboard-interactive
#   Protocol 2,1
#   ProxyCommand
#   PubkeyAuthentication yes
#   RemoteForward
    RhostsAuthentication yes
    RhostsRSAAuthentication yes
#   RSAAuthentication yes
#   SmartcardDevice
    StrictHostKeyChecking yes
    UsePrivilegedPort yes
#   User $USER
#   UserKnownHostsFile $HOME/.ssh/known_hosts
    VersionAddendum ssh_config $Revision: 1.1.1.1 $
#   XAuthLocation /usr/X11R6/bin/xauth
-------------- next part --------------
# sshd_config server configuration file for OpenSSH 3.5p1, FreeBSD 4.8
# $Id: sshd_config,v 1.1.1.1 2003/06/05 22:21:28 tweten Exp $

# Actual path names for files may need to be changed for specific
# hosts.  The names used in this file work under the operating system
# and version number listed on the top line of this file.

# OpenSSH developers change parameters fairly often.  It is not
# guaranteed that this configuration file will work with OpenSSH
# versions other than the one listed on the top line of this file.

# All parameters are listed in alphabetical order unless semantic
# requirements dictate otherwise.  Parameters that are allowed to
# default and their default values are listed as comments.

# The philosophy of this configuration is that the client process
# cares only about fulfilling the user's request and the server is
# responsible for maintaining security.

# Examples:
#   The client configuration file permits RhostsAuthentication and
#   ChallengeResponseAuthentication, but the server configuration file
#   forbids them.

# AFSTokenPassing no
# AllowGroups *
# AllowTcpForwarding yes
# AllowUsers *
# AuthorizedKeysFile .ssh/authorized_keys
  Banner /etc/ftpwelcome
  ChallengeResponseAuthentication no
# Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
  ClientAliveInterval 60
  ClientAliveCountMax 10
# Compression yes
# DenyGroups
# DenyUsers
# GatewayPorts no
  HostbasedAuthentication yes
  HostKey /etc/ssh/ssh_host_key
  HostKey /etc/ssh/ssh_host_rsa_key
  HostKey /etc/ssh/ssh_host_dsa_key
  IgnoreRhosts no
# IgnoreUserKnownHosts no
# KeepAlive yes
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTgtPassing no
# KerberosTicketCleanup yes
# KeyRegenerationInterval 1h
# Port 22
# ListenAddress 0.0.0.0
  LoginGraceTime 10m
# LogLevel INFO
# MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# MaxStartups 10
# PasswordAuthentication yes
# PermitEmptyPasswords no
  PermitRootLogin forced-commands-only
# PermitUserEnvironment no
# PidFile /var/run/sshd.pid
# PrintLastLog yes
  PrintMotd no
# Protocol 2,1
# PubkeyAuthentication yes
# RhostsAuthentication no
  RhostsRSAAuthentication yes
# RSAAuthentication yes
# ServerKeyBits 768
# StrictModes yes
  Subsystem sftp /usr/libexec/sftp-server
# SyslogFacility AUTH
# UseLogin no
# UsePrivilegeSeparation yes
  VerifyReverseMapping yes
  VersionAddendum sshd_config $Revision: 1.1.1.1 $
# X11DisplayOffset 10
# X11Forwarding yes
# X11UseLocalhost yes
# XAuthLocation /usr/X11R6/bin/xauth
-------------- next part --------------
M/S 258-5                    |1024-bit PGP fingerprint:|tweten@nas.nasa.gov
NASA Ames Research Center    | 41 B0 89 0A  8F 94 6C 59|     (650) 604-4416
Moffett Field, CA  94035-1000| 7C 80 10 20  25 C7 2F E6|FAX: (650) 604-4377
Not an official NASA position.  You can't even be certain who sent this!

> >... the base system seems to force a DSA host key authentication,
whereas the
> >port and openssh release use RSA ...
> 
> Why do you care?  Give your machine all three kinds of machine key 
> (protocol 1.5, protocol 2.0 RSA, and protocol 2.0 DSA).  If you want to 
> use public key authentication, give yourself all three types of personal 
> key too.  That way, you are prepared for whatever slight misconfiguration 
> there may be at the other end of your attempted connection.
Its not that I care, am just trying to point out anything I can that
could indicate the cause of the problem.


I tried using your config files, and the result is included below.


OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL
0x0090703f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: ssh_connect: needpriv 1
debug1: Connecting to daren.ca [3ffe:b80:19a3:1::1] port 22.
debug1: Allocated local port 1016.
debug1: connect to address 3ffe:b80:19a3:1::1 port 22: No route to host
debug1: Connecting to daren.ca [65.49.123.132] port 22.
debug1: Allocated local port 1015.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.5p1 FreeBSD-20030924
debug1: match: OpenSSH_3.5p1 FreeBSD-20030924 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1 ssh_config $Revision:
1.1.1.1 $
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client arcfour hmac-md5 none
debug1: kex: client->server arcfour hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 111/256
debug1: bits set: 1605/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
No DSA host key is known for daren.ca and you have requested strict
checking.
Host key verification failed.
debug1: Calling cleanup 0x804c158(0x0)

desjardins@canada.com said:
>debug1: ssh_dss_verify: signature incorrect
>key_verify failed for server_host_key 
You may be suffering from the confusion I mentioned in my prevoious 
message -- if daren.ca's public key has changed since you began trying to 
make SSH work.

Get rid of /root/.ssh/known_hosts.  If it's valuable, rename it.  
Otherwise just delete it.  Now when you use the option I suggested in my 
previous message, SSH will ask you the question.  After you answer yes, it 
will store daren.ca's current public machine key in /root/.ssh/known_hosts.

Incidently, if you use my sshd_config file, you won't be able to log in 
interactively as root.
-- 
M/S 258-5                    |1024-bit PGP fingerprint:|tweten@nas.nasa.gov
NASA Ames Research Center    | 41 B0 89 0A  8F 94 6C 59|     (650) 604-4416
Moffett Field, CA  94035-1000| 7C 80 10 20  25 C7 2F E6|FAX: (650) 604-4377
Not an official NASA position.  You can't even be certain who sent this!

desjardins@canada.com said:
>key_verify failed for server_host_key 
Can any other SSH-equipped machines log into daren.ca using SSH?

Since this indicates the just-delivered key for daren.ca failed to verify, 
I'm wondering whether there might be something wrong with the public 
and/or private DSA machine keys on daren.ca.  Incidently, does daren.ca 
have an RSA machine key pair, or a protocol 1.5 machine key pair?
-- 
M/S 258-5                    |1024-bit PGP fingerprint:|tweten@nas.nasa.gov
NASA Ames Research Center    | 41 B0 89 0A  8F 94 6C 59|     (650) 604-4416
Moffett Field, CA  94035-1000| 7C 80 10 20  25 C7 2F E6|FAX: (650) 604-4377
Not an official NASA position.  You can't even be certain who sent this!

> Can any other SSH-equipped machines log into daren.ca using SSH?
> 
Yes. daren.ca is just one of 5 or 6 hosts I tested it on. All of which
fail with the same result.
> Since this indicates the just-delivered key for daren.ca failed to verify, 
> I'm wondering whether there might be something wrong with the public 
> and/or private DSA machine keys on daren.ca.  Incidently, does daren.ca 
> have an RSA machine key pair, or a protocol 1.5 machine key pair?
It has an rsa1,rsa2 and dsa2 key pair.