[ssh_x509] Problems running keyscan

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue May 29 22:19:57 EEST 2018


Hi Roumen,
I'm trying to use ssh-keyscan on my system with PKIX-11 but I am running into some issues. When I use ssh-keyscan, I do not get a key found and in the sshd logs, I see the following lines:
debug1: kex: host key algorithm: (no match) [preauth]
Unable to negotiate with 127.0.0.1 port 34544: no matching host key type found. Their offer: x509v3-ecdsa-sha2-nistp256 [preauth]
Am I missing something that I need to put into configuration to get this to work correctly? When I try to run ssh-keyscan from my CentOS installed OpenSSH, the keyscan works and returns the key. I've also tried this with OpenSSH 7.6 and it works properly. The failure only occurs when I use my client from my PKIX install.

I also noticed that when I run make tests LTESTS=keyscan, the sshd log will show the same negotiation failure if I prevent the script from deleting the log entries. Please let me know if there is anything I should be trying differently.

Output from PKIX ssh-keyscan:
./ssh-keyscan -v -p 20022 127.0.0.1
write (127.0.0.1): Connection reset by peer
write (127.0.0.1): Connection reset by peer
write (127.0.0.1): Connection reset by peer
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
write (127.0.0.1): Connection refused
debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
debug1: x.509 compatibility rfc6187_missing_key_identifier=yes: pattern 'OpenSSH*' match 'OpenSSH_7.6'
debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=yes: pattern 'OpenSSH*' match 'OpenSSH_7.6'
debug1: x.509 compatibility broken list with accepted publickey algorithms=no: pattern '*' match 'OpenSSH_7.6'
# 127.0.0.1:20022 (x509v3-ecdsa-sha2-nistp256) SSH-2.0-OpenSSH_7.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: (no match)

Output from OpenSSH ssh-keyscan:
./ssh-keyscan -v -p 20022 127.0.0.1
write (127.0.0.1): Connection reset by peer
write (127.0.0.1): Connection reset by peer
debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
# 127.0.0.1:20022 SSH-2.0-OpenSSH_7.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
[127.0.0.1]:20022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCNpcWy+eB5Yd2z8IEByTw0pI



Thank you,
Alex



More information about the ssh_x509 mailing list