Bug#845042: openssh-server: Generates invalid ecdsa host keys

[Santiago Vila <sanvila@unex.es>]

On Sat, Nov 19, 2016 at 08:05:15PM +0000, Colin Watson wrote:
> On Sat, Nov 19, 2016 at 07:37:54PM +0100, Santiago Vila wrote:
> > On some systems, openssh-server postinst fails to generate correct
> > ECDSA host keys:
> [...]
> > ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKXa7AmJqSutzd/0xiKpHUb9Od0FZmGBOW7CowUItSeoa2Y7mz/K5V/PLUy6Xr/pxcMvIVMIwR4dt67ZPxSobHk= root@mymachine
> 
> It appears to be a problem with reading (and fingerprinting) the public
> key rather than with generating it, perhaps?  At least, if I save that
> public key to bad-ecdsa.pub and run "ssh-keygen -l -f ./bad-ecdsa.pub"
> here, it seems quite happy with it.  That suggests that the output of
> "ssh-keygen -vvv -l -f /etc/ssh/ssh_host_ecdsa_key.pub" on a system that
> doesn't work would be of some use, perhaps under valgrind.

The machine where it happens is a QEMU/KVM virtual machine. I believed
this to be a bug in ssh because downgrading to the jessie version
fixed the issue, but now I'm not sure.

In the same machine another weird thing happens: disk I/O performance
is radically worse than the host (native) system.

I'll try to investigate a little bit more.

Thanks.