[ssh_x509] Host key verification failure

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon May 15 23:33:05 EEST 2017


Hi Devaki,


ssh_x509 at roumenpetrov.info wrote:
> Hello,
>
> Simple as it may sound, I have been struggling with Host key verification failure with patches X509-10.0 and X509-10.1.1.  The SSH connection inconsistently fails due to host key verification failure with x509v3-sign-rsa and x509v3-ssh-rsa algorithms.
I'm not able to reproduce issue.

> I've been struggling with this issue for over a week trying to identify a root-cause to no avail. This behavior is observed with baseline code where the only variable is a new patch.
>
> Below are my known_hosts and authorized_key files that have been working solid up until we installed X509-10.0/X509-10.1.1 patch to get support for x509v3-ssh-rsa algorithm(RFC 6187).
>
> Known_hosts(neither of the format works)
> ----------------
> X208 x509v3-sign-rsa subject= CN=x208,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB
> 10.50.157.208  x509v3-sign-rsa subject= CN=x208,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB
> X208, 10.50.157.208  x509v3-sign-rsa subject= CN=x208,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB

Format looks fine.
My test is with X5.09 host key generated from regression tests - 
tests/CA/testhostkey_rsa-rsa_sha1.
Line is known_hosts is:
127.15.0.20 x509v3-sign-rsa Subject= C=XX,ST=World,O=SSH Test Team 
cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-2,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-1,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-3,CN=localhost RSA(rsa_sha1)



> Authorized_keys
> --------------------
> x509v3-sign-rsa subject= CN=x201,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB
>
> sshd_config
> ------------
> [SNIP]
>
>
> ssh_config
> ------------
> [SNIP]
>
> Debug output of SSH connection:
>
> ssh -F /tandberg/portforward/ssh_config -vvv _pfwd at 10.50.157.208 -p 2222:
>
> [SNIP]
> debug3: x509_to_key: X509_get_pubkey done!
> debug3: put_host_port: [10.50.157.208]:2222
> debug3: put_host_port: [10.50.157.208]:2222
> No RSA+cert host key is known for [10.50.157.208]:2222 and you have requested strict checking.
> Host key verification failed.
>
>
> Any insight into this issue will be great appreciated.

In case of success (line exits) log is :
debug3: put_host_port: [127.15.0.20]:10022
debug3: put_host_port: [127.15.0.20]:10022
debug3: hostkeys_foreach: reading file "<HOME>/.ssh/known_hosts"

You report lack line hostkeys_foreach ...


If there is no "known hosts file" at all (in all default locations) my 
log is :
debug1: Server host key: x509v3-sign-rsa SHA256:....
debug3: put_host_port: [127.15.0.20]:10022
debug3: put_host_port: [127.15.0.20]:10022
debug1: checking without port identifier
No RSA+cert host key is known for [127.15.0.20]:10022 and you have 
requested strict checking.
Host key verification failed.

No idea. Perhaps in tested configuration (environment) lack "known 
hosts" files.

> Thank you
> Devaki Chokshi

Roumen


-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/




More information about the ssh_x509 mailing list