--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: ssh fingerprint returned by sshd is incorrect(?)
- From: Vincent McIntyre <Vince.McIntyre@atnf.csiro.au>
- Date: Sat, 9 Jul 2005 17:04:00 +1000 (EST)
- Message-id: <Pine.LNX.4.44.0507091652310.12864-100000@bedlam.atnf.CSIRO.AU>
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
*** Please type your report below this line ***
I recently reinstalled a machine that was running woody with sarge,
from an official netinst cd. When I tried to connect to this machine
- from a woody box,
- after I had restored the ssh keys from backup
I get complaints about the fingerprint being incorrect.
When I run ssh-keygen -l -f <keyfile>, on either the new sarge
box, or the woody box I am trying to connect from, I get the same
fingerprint. This is *different* to what the woody ssh client
says is being sent by the sshd on the sarge box (I'm not sure if
they are meant to be the same).
I consider this a bug because exposing users to mismatched key
messages all the time lowers security - they will start to ignore
such messages.
What I want to be able to do is restore the existing host keys
so that users will not get complaints about mismatched keys.
I could work around by sedding out the wrong key from all users'
known_hosts, but I don't think that is a good solution...
Can you help? Can I? What other information do you need?
I did attempt running with ssh -vvv to take an initial look.
The only relevant thing seemed to be some problem finding a key:
--------------------------------<snip>--------------------------------
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1028/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /u/mci156/.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
debug3: check_host_in_hostfile: filename /u/mci156/.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that the RSA host key has just been changed.
--------------------------------<snip>--------------------------------
Note that - this is a fresh install. The sarge system does not
know about my username yet (NIS account). The machine has only
one account, for 'root'.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.1 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/ssh2_keys_merged:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: false
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
ssh/disable_cr_auth: false
--- End Message ---