bugzilla-daemon at bugzilla.mindrot.org
2009-Apr-26 21:30 UTC
[Bug 1592] New: Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost)
https://bugzilla.mindrot.org/show_bug.cgi?id=1592 Summary: Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost) Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: doerges at pre-sense.de Created an attachment (id=1628) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1628) All files needed to set up test case Problem: I've come across two host key pairs which do not work correctly: - ssh-keygen -l -f key_A gives fingerprint fp_A - ssh'ing to an sshd using key_A as host key givs fingerprint fp_B - fp_B != fp_A (actually the ssh client receives a different host key) The problem occurs with OpenSSH 5.1p (both openSUSE 11.1 and Knoppix 6.1 (Debian based)) and OpenSSH 4.6p1 (openSUSE 10.3). It's not an MITM. I could reproduce the behavior booting from a clean live Linux CD, ssh'ing to localhost without any other network connections available. I'm not entirely sure, but I'm guessing the keys were generated with OpenSSH 4.6p1. Expected behavior: fp_B == fp_A or If the keys are somehow broken, SSHD should tell the user about it. Reproduce: The keys in question are in the attachment: ssh-prob/ssh_host_rsa_key ssh-prob/ssh_host_dsa_key.pub ssh-prob/ssh_host_dsa_key ssh-prob/ssh_host_rsa_key.pub 1.) Unpack prob.tar.gz 2.) Start testcase.sh Example: $ ./testcase.sh testcase.sh: Setting up test case in '/tmp/tmp.jxjR9LsMNh' ... DONE testcase.sh: Fingerprint for host key is: 1024 37:66:7b:99:ea:09:9a:1d:7e:09:3a:90:3e:d0:86:9b /tmp/tmp.jxjR9LsMNh/ssh_host_rsa_key.pub (RSA) testcase.sh: Please compare with fingerprint given from 'ssh -p 55555 localhost' testcase.sh: Starting SSHD ... debug1: sshd version OpenSSH_5.1p1 [...] $ ssh -p 55555 localhost The authenticity of host '[localhost]:55555 ([127.0.0.1]:55555)' can't be established. RSA key fingerprint is 6a:ef:32:f1:63:c1:db:d2:81:e6:4b:f7:e8:ec:01:4a. Are you sure you want to continue connecting (yes/no)? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 1592] Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost)
- [Bug 1592] Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost)
- [Bug 1592] Fingerprints for SSHD host key don't match (local ssh-keygen -l vs. ssh localhost)
- ssh-keygen listing fingerprints little unclear
- [Bug 2332] New: Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen