Christian Kujau
2025-Oct-28 10:46 UTC
ssh_dispatch_run_fatal: incorrect signature with mlkem768x25519-sha256
Hello list,
I have this PowerBook G4 with OpenBSD 7.6 (macppc, OpenSSH_9.9, LibreSSL
4.0.0) installed but haven't used it in a while. Switched it on and wanted
to SSH from my Macbook (M2, with macOS 26 installed, OpenSSH_10.0p2,
LibreSSL 3.3.6) to the Powerbook but:
$ ssh 192.168.178.62
ssh_dispatch_run_fatal: Connection to 192.168.178.62 port 22: incorrect
signature
I mention the architectures of both systems because I suspected some kind
of endianess problem first. Or a problem with the G4's system time (which
turned out to be correct). I've searched the interwebs for this message
but nothing really fit, so I fiddled around with some SSH parameters. And
it turns out that switching to a key exchange algorithm helps, see below.
But I wonder why this is the case, and why it does produce this error
message.
When using an unsupported KexAlgorithm the client balks with:
$ ssh -o KexAlgorithms=foo 192.168.178.62
Unsupported KEX algorithm "foo"
command-line line 0: Bad SSH2 KexAlgorithms 'foo'.
Or, if unsupported by the server:
$ ssh -o KexAlgorithms=diffie-hellman-group-exchange-sha1 192.168.178.62
Unable to negotiate with 192.168.178.62 port 22: no matching key exchange
method found. Their offer: [...]
But that "incorrect signature" really puzzled me. Trying all the
server
offered KexAlgorithms returned the following results below. And looking at
them more closely it only returned that error for mlkem768x25519-sha256,
which happens to be the default for the SSH client from macOS. But, this
is also the default for the SSH client of a Linux Arch machine on the same
network (OpenSSH_10.2p1, OpenSSL 3.6.0), which produced the same error
message.
So, instead of turning to the SSH client vendors (Apple, Arch, ...) to
change the default, I guess my questions are:
* Why is this message printed in the first place? What makes
mlkem768x25519-sha256 so special (apart from being fairly new, I guess?)
that triggers this message?
* And why is this only happening in combination with the sshd from
OpenBSD, as the default works fine for other sshd implementations.
Ideas welcome :-)
Thanks,
Christian.
========================$ ssh -F /dev/null -v 192.168.178.62
debug1: OpenSSH_10.0p2, LibreSSL 3.3.6
debug1: Reading configuration data /dev/null
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.178.62 [192.168.178.62] port 22.
debug1: Connection established.
debug1: identity file /Users/christian/.ssh/id_rsa type -1
debug1: identity file /Users/christian/.ssh/id_rsa-cert type -1
debug1: identity file /Users/christian/.ssh/id_ecdsa type -1
debug1: identity file /Users/christian/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/christian/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/christian/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/christian/.ssh/id_ed25519 type -1
debug1: identity file /Users/christian/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/christian/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/christian/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/christian/.ssh/id_xmss type -1
debug1: identity file /Users/christian/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_10.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9
debug1: compat_banner: match: OpenSSH_9.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.178.62:22 as 'christian'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: mlkem768x25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:bYTEMDYnC44pSj18fjzqJkzaGvqQeAOzgZaf8Jr0wg8
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host '192.168.178.62' is known and matches the ED25519 host key.
debug1: Found key in /Users/christian/.ssh/known_hosts2:882
debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1
ssh_dispatch_run_fatal: Connection to 192.168.178.62 port 22: incorrect
signature
$ man ssh_config | grep -A1 -B2 mlkem768x25519-sha256
The default is:
mlkem768x25519-sha256,
sntrup761x25519-sha512,sntrup761x25519-sha512 at openssh.com,
$ for k in $(cat foo); do echo "### ${k}"
ssh -F /dev/null -i ~/.ssh/key -o KexAlgorithms=${k} dummy at 192.168.178.62
uname -rm; done
### sntrup761x25519-sha512
7.6 macppc
### sntrup761x25519-sha512 at openssh.com
7.6 macppc
### mlkem768x25519-sha256
ssh_dispatch_run_fatal: Connection to 192.168.178.62 port 22: incorrect
signature
### curve25519-sha256
7.6 macppc
### curve25519-sha256 at libssh.org
7.6 macppc
### ecdh-sha2-nistp256
7.6 macppc
### ecdh-sha2-nistp384
7.6 macppc
### ecdh-sha2-nistp521
7.6 macppc
### diffie-hellman-group-exchange-sha256
7.6 macppc
### diffie-hellman-group16-sha512
7.6 macppc
### diffie-hellman-group18-sha512
7.6 macppc
### diffie-hellman-group14-sha256
7.6 macppc
### ext-info-s
Unsupported KEX algorithm "ext-info-s"
command-line line 0: Bad SSH2 KexAlgorithms 'ext-info-s'.
### kex-strict-s-v00 at openssh.com
Unsupported KEX algorithm "kex-strict-s-v00 at openssh.com"
command-line line
0: Bad SSH2 KexAlgorithms 'kex-strict-s-v00 at openssh.com'.
--
BOFH excuse #356:
the daemons! the daemons! the terrible daemons!
Sam James
2025-Oct-28 11:10 UTC
ssh_dispatch_run_fatal: incorrect signature with mlkem768x25519-sha256
Christian Kujau <mindrot at nerdbynature.de> writes:> Hello list, > > I have this PowerBook G4 with OpenBSD 7.6 (macppc, OpenSSH_9.9, LibreSSL > 4.0.0) installed but haven't used it in a while. Switched it on and wanted > to SSH from my Macbook (M2, with macOS 26 installed, OpenSSH_10.0p2, > LibreSSL 3.3.6) to the Powerbook but: > > $ ssh 192.168.178.62 > ssh_dispatch_run_fatal: Connection to 192.168.178.62 port 22: incorrect signatureMight be a miscompilation like https://github.com/llvm/llvm-project/issues/163053 was (of course not exactly the same). Does it happen if you use ./configure --without-hardening?> [...]sam
Damien Miller
2025-Oct-28 22:31 UTC
ssh_dispatch_run_fatal: incorrect signature with mlkem768x25519-sha256
On Tue, 28 Oct 2025, Christian Kujau wrote:> Hello list, > > I have this PowerBook G4 with OpenBSD 7.6 (macppc, OpenSSH_9.9, LibreSSL > 4.0.0) installed but haven't used it in a while. Switched it on and wanted > to SSH from my Macbook (M2, with macOS 26 installed, OpenSSH_10.0p2, > LibreSSL 3.3.6) to the Powerbook but: > > $ ssh 192.168.178.62 > ssh_dispatch_run_fatal: Connection to 192.168.178.62 port 22: incorrect signatureThis is probably fixed by this, which landed after 9.9: commit cf3e48ee8ba1beeccddd2f203b558fa102be67a2 Author: djm at openbsd.org <djm at openbsd.org> Date: Sun Oct 27 02:06:01 2024 +0000 upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by jsg@ feedback/ok deraadt@ OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0