[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#317499: marked as done (ssh fingerprint returned by sshd is incorrect(?))

Your message dated Sun, 10 Dec 2006 22:57:10 +0100
with message-id <200612102257.10394@auguste.remlab.net>
and subject line more information - please close #317499
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal

*** Please type your report below this line ***

I recently reinstalled a machine that was running woody with sarge,
from an official netinst cd. When I tried to connect to this machine
 - from a woody box,
 - after I had restored the ssh keys from backup
I get complaints about the fingerprint being incorrect.

When I run ssh-keygen -l -f <keyfile>, on either the new sarge
box, or the woody box I am trying to connect from, I get the same
fingerprint. This is *different* to what the woody ssh client
says is being sent by the sshd on the sarge box (I'm not sure if
they are meant to be the same).

I consider this a bug because exposing users to mismatched key
messages all the time lowers security - they will start to ignore
such messages.

What I want to be able to do is restore the existing host keys
so that users will not get complaints about mismatched keys.
I could work around by sedding out the wrong key from all users'
known_hosts, but I don't think that is a good solution...

Can you help? Can I? What other information do you need?

I did attempt running with ssh -vvv to take an initial look.
The only relevant thing seemed to be some problem finding a key:
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1028/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /u/mci156/.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
debug3: check_host_in_hostfile: filename /u/mci156/.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
Someone could be eavesdropping on you right now (man-in-the-middle
It is also possible that the RSA host key has just been changed.

Note that - this is a fresh install. The sarge system does not
know about my username yet (NIS account). The machine has only
one account, for 'root'.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages ssh depends on:
ii  adduser                3.63              Add and remove users and groups
ii  debconf               Debian configuration management sy
ii  dpkg                   1.10.28           Package maintenance system for Deb
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared libraries an
ii  libpam-modules         0.76-22           Pluggable Authentication Modules f
ii  libpam-runtime         0.76-22           Runtime support for the PAM librar
ii  libpam0g               0.76-22           Pluggable Authentication Modules l
ii  libssl0.9.7            0.9.7e-3          SSL shared libraries
ii  libwrap0               7.6.dbs-8         Wietse Venema's TCP wrappers libra
ii  zlib1g                 1:1.2.2-4.sarge.1 compression library - runtime

-- debconf information:
* ssh/forward_warning:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: false
* ssh/run_sshd: true
* ssh/SUID_client: true
  ssh/disable_cr_auth: false

--- End Message ---
--- Begin Message ---
Submitter requested closure of this bug a while ago.

Le vendredi 22 juillet 2005 03:05, vous avez écrit :
> tags: close
> I did some more checking. This is not a bug, its a PEBKC.

Rémi Denis-Courmont

--- End Message ---

Reply to: