openssh bugs - Oct 2023 - [Bug 3627] New: openssh 9.4p1 does not see RSA keys in know_hosts file.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

            Bug ID: 3627
           Summary: openssh 9.4p1 does not see RSA keys in know_hosts
                    file.
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: SPARC
                OS: Solaris
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla at outputservices.com

Created attachment 3738
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3738&action=edit
pdf of my issue

I have compiled openssh 9.4p1 using the following compile command:

configure CFLAGS="-g -O3
-L/usr/local/tools/openssh/openssh/openssl/lib/64
-R/usr/local/tools/openssh/openssh/openssl/lib/64 
-I/usr/local/tools/openssh/openssh/openssl/include/openssl" CC="gcc
-m64" --without-zlib-version-check --without-openssl-header-check
--with-pam --prefix=/usr/local/tools/openssh/openssh/openssh

Here is the version:

< user_lamborghini ~/.ssh: > ssh -V
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
< user_lamborghini ~/.ssh: > 

I do not have any knowHost file in my directory

< user_lamborghini ~/.ssh: > ls -l
total 6
-rw-r--r--   1 user user     221 Mar 18  2012 authorized_keys
-rw-r--r--   1 user user      26 Aug 30 10:12 config
-rw-r--r--   1 user user     302 Sep  7 10:57 env
< user_lamborghini ~/.ssh: > 

I connect the first time it asks me to accept the RSA host key.

< user_lamborghini ~/.ssh: > ssh user at 10.106.101.142
The authenticity of host '10.106.101.142 (10.106.101.142)' can't be
established.
RSA key fingerprint is
SHA256:lG+1WuVSfR9Frovpc3XXp/AvPK4LpRKSfLEe+6eai9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
yes
Warning: Permanently added '10.106.101.142' (RSA) to the list of known
hosts.

I finish logging in. 
user at 10.106.101.142's password: 

####################################################### 
# 
# WRKSTN42
# 
####################################################### 

WARNING: This is a restricted access server. If you do not have 
explicit permission to access this server, please disconnect 
immediately. Unauthorized access to this system is considered gross 
misconduct and may result in disciplinary action, including revocation 
of network access privileges, immediate termination of employment,
and/or 
prosecution to the fullest extent of the law.  

Last login: Mon Oct  9 11:00:11 2023 from 10.10.10.62
#]0;user at wrkstn42: ~#user at wrkstn42:~$ exit
logout
Connection to 10.106.101.142 closed.
< user_lamborghini ~/.ssh: > 

Now I have TWO known_hosts files.  known_hosts and known_hosts.old.

< user_lamborghini ~/.ssh: > ls -l
total 10
-rw-r--r--   1 user user     221 Mar 18  2012 authorized_keys
-rw-r--r--   1 user user      26 Aug 30 10:12 config
-rw-r--r--   1 user user     302 Sep  7 10:57 env
-rw-------   1 user user     792 Oct  9 11:19 known_hosts
-rw-r--r--   1 user user     396 Oct  9 11:19 known_hosts.old
< user_lamborghini ~/.ssh: > more known*

Here are the entries in the  known_hosts files:

::::::::::::::
known_hosts
::::::::::::::
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx

::::::::::::::
known_hosts.old
::::::::::::::
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
< user_lamborghini ~/.ssh: > 

It is put in the known_hosts two times and known_hosts.old one time.

Now I log into the same workstation again and I get this error:

parse error in hostkeys file


< user_lamborghini ~/.ssh: > ssh -v user at 10.106.101.142
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
debug1: Reading configuration data /export/home/user/.ssh/config
debug1: Reading configuration data
/usr/local/tools/openssh/openssh_9.4.3.1.2/openssh/etc/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve;
disabling
debug1: Connecting to 10.106.101.142 [10.106.101.142] port 22.
debug1: Connection established.
debug1: identity file /export/home/user/.ssh/id_rsa type -1
debug1: identity file /export/home/user/.ssh/id_rsa-cert type -1
debug1: identity file /export/home/user/.ssh/id_ecdsa type -1
debug1: identity file /export/home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /export/home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /export/home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /export/home/user/.ssh/id_ed25519 type -1
debug1: identity file /export/home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /export/home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /export/home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /export/home/user/.ssh/id_xmss type -1
debug1: identity file /export/home/user/.ssh/id_xmss-cert type -1
debug1: identity file /export/home/user/.ssh/id_dsa type -1
debug1: identity file /export/home/user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: compat_banner: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat
OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7*
compat 0x04000002
debug1: Authenticating to 10.106.101.142:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa
SHA256:lG+1WuVSfR9Frovpc3XXp/AvPK4LpRKSfLEe+6eai9w
debug1: /export/home/user/.ssh/known_hosts:1: parse error in hostkeys
file
debug1: /export/home/user/.ssh/known_hosts:2: parse error in hostkeys
file
debug1: load_hostkeys: fopen /export/home/user/.ssh/known_hosts2: No
such file or directory
debug1: load_hostkeys: fopen
/usr/local/tools/openssh/openssh_9.4.3.1.2/openssh/etc/ssh_known_hosts:
No such file or directory
debug1: load_hostkeys: fopen
/usr/local/tools/openssh/openssh_9.4.3.1.2/openssh/etc/ssh_known_hosts2:
No such file or directory
debug1: hostkeys_find_by_key_hostfile: hostkeys file
/export/home/user/.ssh/known_hosts2 does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file
/usr/local/tools/openssh/openssh_9.4.3.1.2/openssh/etc/ssh_known_hosts
does not exist
debug1: hostkeys_find_by_key_hostfile: hostkeys file
/usr/local/tools/openssh/openssh_9.4.3.1.2/openssh/etc/ssh_known_hosts2
does not exist
The authenticity of host '10.106.101.142 (10.106.101.142)' can't be
established.
RSA key fingerprint is
SHA256:lG+1WuVSfR9Frovpc3XXp/AvPK4LpRKSfLEe+6eai9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
yes
Warning: Permanently added '10.106.101.142' (RSA) to the list of known
hosts.
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /export/home/user/.ssh/id_rsa 
debug1: Will attempt key: /export/home/user/.ssh/id_ecdsa 
debug1: Will attempt key: /export/home/user/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /export/home/user/.ssh/id_ed25519 
debug1: Will attempt key: /export/home/user/.ssh/id_ed25519_sk 
debug1: Will attempt key: /export/home/user/.ssh/id_xmss 
debug1: Will attempt key: /export/home/user/.ssh/id_dsa 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /export/home/user/.ssh/id_rsa
debug1: Trying private key: /export/home/user/.ssh/id_ecdsa
debug1: Trying private key: /export/home/user/.ssh/id_ecdsa_sk
debug1: Trying private key: /export/home/user/.ssh/id_ed25519
debug1: Trying private key: /export/home/user/.ssh/id_ed25519_sk
debug1: Trying private key: /export/home/user/.ssh/id_xmss
debug1: Trying private key: /export/home/user/.ssh/id_dsa
debug1: Next authentication method: password
user at 10.106.101.142's password: 
Authenticated to 10.106.101.142 ([10.106.101.142]:22) using
"password".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
debug1: client_input_hostkeys: searching
/export/home/user/.ssh/known_hosts for 10.106.101.142 / (none)
debug1: client_input_hostkeys: searching
/export/home/user/.ssh/known_hosts2 for 10.106.101.142 / (none)
debug1: client_input_hostkeys: hostkeys file
/export/home/user/.ssh/known_hosts2 does not exist
Learned new hostkey: RSA
SHA256:lG+1WuVSfR9Frovpc3XXp/AvPK4LpRKSfLEe+6eai9w
/export/home/user/.ssh/known_hosts:1: invalid known_hosts entry
/export/home/user/.ssh/known_hosts:2: invalid known_hosts entry
/export/home/user/.ssh/known_hosts:3: invalid known_hosts entry
Adding new key for 10.106.101.142 to
/export/home/user/.ssh/known_hosts: ssh-rsa
SHA256:lG+1WuVSfR9Frovpc3XXp/AvPK4LpRKSfLEe+6eai9w
debug1: update_known_hosts: known hosts file
/export/home/user/.ssh/known_hosts2 does not exist
debug1: pledge: fork

I am logged in again for the second time.



####################################################### 
# 
# WRKSTN42
# 
####################################################### 

WARNING: This is a restricted access server. If you do not have 
explicit permission to access this server, please disconnect 
immediately. Unauthorized access to this system is considered gross 
misconduct and may result in disciplinary action, including revocation 
of network access privileges, immediate termination of employment,
and/or 
prosecution to the fullest extent of the law.  

Last login: Mon Oct  9 11:19:56 2023 from 10.10.10.62
#]0;user at wrkstn42: ~#user at wrkstn42:~$ exit
logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply
0
debug1: channel 0: free: client-session, nchannels 1
Connection to 10.106.101.142 closed.
Transferred: sent 2252, received 3976 bytes, in 1.7 seconds
Bytes per second: sent 1305.3, received 2304.6
debug1: Exit status 0
< user_lamborghini ~/.ssh: > 

Now I have the entry in the known_hosts four times and the
known_hosts.old two times.


< user_lamborghini ~/.ssh: > more known*
::::::::::::::
known_hosts
::::::::::::::
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx




::::::::::::::
known_hosts.old
::::::::::::::
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAuxrrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEaZ0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx


This happens every time.

Openssh  9.4p1 is Not seeing the RSA keys in the known_hosts files,
even though it puts the entry in the file.

What is happening?

How can I fix this so it only puts the entry in once and reads it when
I log in again?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3739
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3739&action=edit
additional debuigging for known_hosts

Please try applying this patch and running ssh in debug mode again. The
patch adds some additional diagnostics that might help figure out
what's happening here.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
A long shot but does your OpenSSL build pass its self-tests?  ("cd
openssl && make tests").

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #3 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to Darren Tucker from comment #2)
> A long shot but does your OpenSSL build pass its self-tests?  ("cd
> openssl && make tests").
make test



99-test_fuzz_x509.t ................ ok   
All tests successful.
Files=252, Tests=3341, 5370 wallclock secs (57.06 usr  8.47 sys +
4285.92 cusr 579.71 csys = 4931.16 CPU)
Result: PASS


OpenSSL 3.1.2 passes the make test.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #4 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to Damien Miller from comment #1)
> Created attachment 3739 [details]
> additional debuigging for known_hosts
> 
> Please try applying this patch and running ssh in debug mode again.
> The patch adds some additional diagnostics that might help figure
> out what's happening here.
This is a solaris sparc machine so I can not apply the "patch" as you
suggested.

diff: illegal option -- git


If you can apply the patch and then zip up the patched hostfile.c and
upload it, I can download it and then put it in place and compile it in
and see if it gives more diagnostics.

I appreciate any assistance on this oddity.

I don't understand why it put the RSA key in the known_hosts file, but
can't read it the next time.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to openssh bugs from comment #4)
[...]
> This is a solaris sparc machine so I can not apply the "patch" as
> you suggested.
> 
> diff: illegal option -- git
If you need to do this in future you can build GNU patch on Solaris:
https://ftp.gnu.org/gnu/patch/
> If you can apply the patch and then zip up the patched hostfile.c
> and upload it, I can download it and then put it in place and
> compile it in and see if it gives more diagnostics.
Grab a snapshot from here:
https://www.mindrot.org/openssh_snap/

and replace hostfile.[ch] with https://www.dtucker.net/tmp/hostfile.c
and https://www.dtucker.net/tmp/hostfile.h

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #6 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to Darren Tucker from comment #5)
> (In reply to openssh bugs from comment #4)
> [...]
> > This is a solaris sparc machine so I can not apply the
"patch" as
> > you suggested.
> > 
> > diff: illegal option -- git
> 
> If you need to do this in future you can build GNU patch on Solaris:
> https://ftp.gnu.org/gnu/patch/
> 
> > If you can apply the patch and then zip up the patched hostfile.c
> > and upload it, I can download it and then put it in place and
> > compile it in and see if it gives more diagnostics.
> 
> Grab a snapshot from here:
> https://www.mindrot.org/openssh_snap/
> 
> and replace hostfile.[ch] with
> https://www.dtucker.net/tmp/hostfile.c and
> https://www.dtucker.net/tmp/hostfile.h

Thank you for the links.  I have downloaded them.

I put them in place and now I'm getting a compile error I need to work
through.

This may be unrelated to the updated files.

So I will continue to work on my compile issues and will use the
updated hostfile.* files.

So it may be a while before I can give a better test of the original
issue.

Thank you again.

FYI: this is the compile error i am getting:

gcc -m64 -std=gnu99 -o ssh ssh.o readconf.o clientloop.o sshtty.o
sshconnect.o sshconnect2.o mux.o ssh-sk-client.o -L. -Lopenbsd-compat/ 
-Wl,-z,now  -lssh -lopenbsd-compat -lresolv -lrt -lmd -lnsl -lsocket  
-lcrypto  -lz
Undefined                       first referenced
 symbol                             in file
EVP_CIPHER_CTX_key_length           ./libssh.a(cipher.o)
EVP_CIPHER_CTX_iv_length            ./libssh.a(cipher.o)
EVP_MD_block_size                   ./libssh.a(digest-openssl.o)
EVP_PKEY_base_id                    ./libssh.a(sshkey.o)
ld: fatal: symbol referencing errors. No output written to ssh
collect2: ld returned 1 exit status
gmake: *** [ssh] Error 1

I will correct this and work on the better diagnostics.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

openssh bugs <bugzilla at outputservices.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3738|0                           |1
        is obsolete|                            |

--- Comment #7 from openssh bugs <bugzilla at outputservices.com> ---
Created attachment 3747
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3747&action=edit
More diagnostics after updated hostfile.c / hostfile.h

hostfile_read_key: sshkey_read /export/home/user/.ssh/known_hosts:1:
invalid format

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #8 from openssh bugs <bugzilla at outputservices.com> ---

After putting in the updated hostfile.c and hostfile.h and compiling I
ran the test again.


< user_lamborghini ~/.ssh: > ssh -V
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023


< user_lamborghini ~/.ssh: > ls -l
total 6
-rw-r--r--   1 user user     221 Mar 18  2012 authorized_keys
-rw-r--r--   1 user user      26 Aug 30 10:12 config
-rw-r--r--   1 user user     302 Sep  7 10:57 env

First time I use ssh 9.4p1 it asks me to accept the remote workstation
RSA key.

< user_lamborghini ~/.ssh: > ssh user at 10.106.101.142
The authenticity of host '10.106.101.142 (10.106.101.142)' can't be
established.
RSA key fingerprint is
SHA256:lG+1WuVSfR9Frovpc3XXp/AvPK4LpRKSfLEe+6eai9w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
yes
Warning: Permanently added '10.106.101.142' (RSA) to the list of known
hosts.
user at 10.106.101.142's password: 

Last login: Fri Oct 27 10:16:43 2023 from 137.106.101.128

user at wrkstn42: ~user at wrkstn42:~$ exit
logout
Connection to 10.106.101.142 closed.



It creates two known_hosts files:  known_hosts  and known_hosts.old

< user_lamborghini ~/.ssh: > ls -l
total 10
-rw-r--r--   1 user user     221 Mar 18  2012 authorized_keys
-rw-r--r--   1 user user      26 Aug 30 10:12 config
-rw-r--r--   1 user user     302 Sep  7 10:57 env
-rw-------   1 user user     792 Oct 27 12:41 known_hosts
-rw-r--r--   1 user user     396 Oct 27 12:41 known_hosts.old

It puts two entries of the remote workstation into the known_hosts
file.

< user_lamborghini ~/.ssh: > more known_hosts*
::::::::::::::
known_hosts
::::::::::::::
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAux
rrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEa
Z0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAux
rrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEa
Z0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx

It puts one entry in the known_hosts.old file.
::::::::::::::
known_hosts.old
::::::::::::::
10.106.101.142 ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwCIAibDePAymJF3HY4JbLrwp3fXzdTkIi7rcRleoT3E7AxFo+dyQiWsuIRo93KUX4vftYxA7ZMIAux
rrkV/DkTh8MREGRJUR/tWE9w4r4EiGwJdV+mOWzvgYzjQIfeHx76f9zF17YsACbL3riPdWKxVvq80UPIYIkBfUdWbEYCZ1isFMUYgFbB/gE9RjyNmW3LbBiROa+8owMWOKEa
Z0Pk3Cewo4gBBekx/zv4qSsM5i4J5OnTxbgUf2hCrvXAforHMGQ1JjsU+wNYScscDLWDh8vwVFTQDnwzQNifPh3j0XNN60xev3717Jz9Aa99NskCYNtOEpd6YHv23BwzaTx

Now I do verbose diagnostics and get this error:

hostfile_read_key: sshkey_read /export/home/user/.ssh/known_hosts:1:
invalid format

for both entries in the known_hosts file.

How can it be a invalid format when ssh is the application placing the
entries?

Below is the verbose diagnostics.

Is there another option / switch I can put on the command line to dump
better diagnostics?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #9 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to openssh bugs from comment #6)
> (In reply to Darren Tucker from comment #5)
> > (In reply to openssh bugs from comment #4)
> > [...]
> > > This is a solaris sparc machine so I can not apply the
"patch" as
> > > you suggested.
> > > 
> > > diff: illegal option -- git
> > 
> > If you need to do this in future you can build GNU patch on Solaris:
> > https://ftp.gnu.org/gnu/patch/
> > 
> > > If you can apply the patch and then zip up the patched hostfile.c
> > > and upload it, I can download it and then put it in place and
> > > compile it in and see if it gives more diagnostics.
> > 
> > Grab a snapshot from here:
> > https://www.mindrot.org/openssh_snap/
> > 
> > and replace hostfile.[ch] with
> > https://www.dtucker.net/tmp/hostfile.c and
> > https://www.dtucker.net/tmp/hostfile.h
> 
> 
> Thank you for the links.  I have downloaded them.
> 
> I put them in place and now I'm getting a compile error I need to
> work through.
> 
> This may be unrelated to the updated files.
> 
> So I will continue to work on my compile issues and will use the
> updated hostfile.* files.
> 
> So it may be a while before I can give a better test of the original
> issue.
> 
> Thank you again.
> 
> FYI: this is the compile error i am getting:
> 
> gcc -m64 -std=gnu99 -o ssh ssh.o readconf.o clientloop.o sshtty.o
> sshconnect.o sshconnect2.o mux.o ssh-sk-client.o -L.
> -Lopenbsd-compat/  -Wl,-z,now  -lssh -lopenbsd-compat -lresolv -lrt
> -lmd -lnsl -lsocket   -lcrypto  -lz
> Undefined                       first referenced
>  symbol                             in file
> EVP_CIPHER_CTX_key_length           ./libssh.a(cipher.o)
> EVP_CIPHER_CTX_iv_length            ./libssh.a(cipher.o)
> EVP_MD_block_size                   ./libssh.a(digest-openssl.o)
> EVP_PKEY_base_id                    ./libssh.a(sshkey.o)
> ld: fatal: symbol referencing errors. No output written to ssh
> collect2: ld returned 1 exit status
> gmake: *** [ssh] Error 1
> 
> I will correct this and work on the better diagnostics.
---------------------------------------------------------

Can you tell me what I'm getting:

hostfile_read_key: sshkey_read /export/home/user/.ssh/known_hosts:1:
invalid format

when it's the SSH program that is putting the keys into the known_hosts
file?

I uploaded attachments and diagnostics on October 28, 2023.

Any help would be greatly appreciated.

Thursday, November  2, 2023 1120 hrs MDT

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Created attachment 3750
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3750&action=edit
instrumented sshkey.c
> debug3: hostfile_read_key: sshkey_read
/export/home/user/.ssh/known_hosts:2: invalid format
You'll need to add some debugging to sshkey_read() to figure out what
is going wrong in there. Please replace sshkey.c with this version that
adds some more debugging of where it is going wrong.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #11 from Damien Miller <djm at mindrot.org> ---
Created attachment 3751
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3751&action=edit
Instrumented ssh-rsa.c file

Please also replace ssh-rsa.c with this file that adds some more
debugging.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

openssh bugs <bugzilla at outputservices.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3739|0                           |1
        is obsolete|                            |
   Attachment #3747|0                           |1
        is obsolete|                            |

--- Comment #12 from openssh bugs <bugzilla at outputservices.com> ---
Created attachment 3754
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3754&action=edit
latest diagnostics

with new hostfile.c,  hostfile.h,  ssh-rsa.c,  sshkey.c

plus diagnostics with ssh 6.0

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #13 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to Damien Miller from comment #11)
> Created attachment 3751 [details]
> Instrumented ssh-rsa.c file
> 
> Please also replace ssh-rsa.c with this file that adds some more
> debugging.
I have uploaded a new diagnostics zip file.  bugzilla.zip

I compiled with the new files:  hostfile.c,  hostfile.h,  ssh-rsa.c, 
sshkey.c

I get the same results.  ssh puts the "key" into known_hosts and
known_hosts.old.

I still get invalid format when it reads the known_hosts files.

I also did a test using OpenSSH_6.0p1, OpenSSL 1.0.2t with the
known_hosts file that OpenSSH_9.4p1, OpenSSL 3.1.2 put together.

6.0p1  read the entries without issue. 

Thank you for any assistance in this matter.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3750|0                           |1
        is obsolete|                            |
   Attachment #3755|0                           |1
        is obsolete|                            |

--- Comment #14 from Damien Miller <djm at mindrot.org> ---
Created attachment 3755
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3755&action=edit
Updated sshkey.c

Please try again with the replacement sshkey.c file. I simply don't
understand what is going wrong here.

--- Comment #15 from Damien Miller <djm at mindrot.org> ---
Created attachment 3756
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3756&action=edit
Instrumented sshkey.c again

I still don't understand what is going wrong, sorry. Please give this a
try.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

openssh bugs <bugzilla at outputservices.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3754|0                           |1
        is obsolete|                            |

--- Comment #16 from openssh bugs <bugzilla at outputservices.com> ---
Created attachment 3759
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3759&action=edit
november 17 diagnostics.

That is some neat diagnostic coding you put in. Hopefully this will
help.

Still getting:

hostfile_read_key: sshkey_read /export/home/user/.ssh/known_hosts:1:
invalid format

 /export/home/user/.ssh/known_hosts:1: parse error in hostkeys file


However OpenSSH_6.0p1, OpenSSL 1.0.2t can read the known_host file that
OpenSSH_9.4p1, OpenSSL 3.1.2 creates.

Thank you for your assistance with this.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #17 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to Damien Miller from comment #15)
> Created attachment 3756 [details]
> Instrumented sshkey.c again
> 
> I still don't understand what is going wrong, sorry. Please give
> this a try.


That is some neat diagnostic coding you put in. Hopefully this will
help.

I have uploaded the diagnostics.  bugzilla.11172023


Still getting:

hostfile_read_key: sshkey_read /export/home/user/.ssh/known_hosts:1:
invalid format

 /export/home/user/.ssh/known_hosts:1: parse error in hostkeys file


However OpenSSH_6.0p1, OpenSSL 1.0.2t can read the known_host file that
OpenSSH_9.4p1, OpenSSL 3.1.2 creates.

Thank you for your assistance with this.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3627

--- Comment #18 from openssh bugs <bugzilla at outputservices.com> ---
(In reply to Damien Miller from comment #15)
> Created attachment 3756 [details]
> Instrumented sshkey.c again
> 
> I still don't understand what is going wrong, sorry. Please give
> this a try.
Any more information from the latest set of diagnostics?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.