[ssh_x509] Host key verification failure

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon May 15 23:33:05 EEST 2017

Hi Devaki,

ssh_x509 at roumenpetrov.info wrote:
> Hello,
> Simple as it may sound, I have been struggling with Host key verification failure with patches X509-10.0 and X509-10.1.1.  The SSH connection inconsistently fails due to host key verification failure with x509v3-sign-rsa and x509v3-ssh-rsa algorithms.
I'm not able to reproduce issue.

> I've been struggling with this issue for over a week trying to identify a root-cause to no avail. This behavior is observed with baseline code where the only variable is a new patch.
> Below are my known_hosts and authorized_key files that have been working solid up until we installed X509-10.0/X509-10.1.1 patch to get support for x509v3-ssh-rsa algorithm(RFC 6187).
> Known_hosts(neither of the format works)
> ----------------
> X208 x509v3-sign-rsa subject= CN=x208,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB
>  x509v3-sign-rsa subject= CN=x208,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB
> X208,  x509v3-sign-rsa subject= CN=x208,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB

Format looks fine.
My test is with X5.09 host key generated from regression tests - 
Line is known_hosts is: x509v3-sign-rsa Subject= C=XX,ST=World,O=SSH Test Team 
cyrillic-АБВ-Яабв-я greek-ΑΒΓ-Ωαβγ-ω,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-2,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-1,OU=SSH Testers cyrillic-АБВ-Яабв-я 
greek-ΑΒΓ-Ωαβγ-ω-3,CN=localhost RSA(rsa_sha1)

> Authorized_keys
> --------------------
> x509v3-sign-rsa subject= CN=x201,OU=UK R&D,O=Cisco,L=Ruscombe,ST=Berkshire,C=GB
> sshd_config
> ------------
> [SNIP]
> ssh_config
> ------------
> [SNIP]
> Debug output of SSH connection:
> ssh -F /tandberg/portforward/ssh_config -vvv _pfwd at -p 2222:
> [SNIP]
> debug3: x509_to_key: X509_get_pubkey done!
> debug3: put_host_port: []:2222
> debug3: put_host_port: []:2222
> No RSA+cert host key is known for []:2222 and you have requested strict checking.
> Host key verification failed.
> Any insight into this issue will be great appreciated.

In case of success (line exits) log is :
debug3: put_host_port: []:10022
debug3: put_host_port: []:10022
debug3: hostkeys_foreach: reading file "<HOME>/.ssh/known_hosts"

You report lack line hostkeys_foreach ...

If there is no "known hosts file" at all (in all default locations) my 
log is :
debug1: Server host key: x509v3-sign-rsa SHA256:....
debug3: put_host_port: []:10022
debug3: put_host_port: []:10022
debug1: checking without port identifier
No RSA+cert host key is known for []:10022 and you have 
requested strict checking.
Host key verification failed.

No idea. Perhaps in tested configuration (environment) lack "known 
hosts" files.

> Thank you
> Devaki Chokshi


Secure shell with X.509 certificate support

More information about the ssh_x509 mailing list