[ssh_x509] Problems running keyscan

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed May 30 19:27:05 EEST 2018


ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen,
> I'm trying to use ssh-keyscan on my system with PKIX-11 but I am running into some issues. When I use ssh-keyscan, I do not get a key found and in the sshd logs, I see the following lines:
> debug1: kex: host key algorithm: (no match) [preauth]
Interesting information is before this message on debug2 level.
...
debug2: local server KEXINIT proposal
debug2: KEX algorithms: ...
debug2: host key algorithms: ... <= (1) host keys on remote (server) side

debug2: peer client KEXINIT proposal
...
debug2: host key algorithms: .... <= (2) algorithm on this line as 
requested by client according specification for KEX initialization message.
...
debug1: kex: algorithm: ...
debug1: kex: host key algorithm: (no match)   <= this mean that there is 
no intersection between (1) and (2)


> Unable to negotiate with 127.0.0.1 port 34544: no matching host key type found. Their offer: x509v3-ecdsa-sha2-nistp256 [preauth]
This repeat algorithms from (2).


keyscan sends separate KEX messages for each hotkey algorithm.



> Am I missing something that I need to put into configuration to get this to work correctly? When I try to run ssh-keyscan from my CentOS installed OpenSSH, the keyscan works and returns the key. I've also tried this with OpenSSH 7.6 and it works properly. The failure only occurs when I use my client from my PKIX install.
keyscan uses mostly predefined parameters(options). options  -t could be 
used to set one or more algirithms

>
> I also noticed that when I run make tests LTESTS=keyscan, the sshd log will show the same negotiation failure if I prevent the script from deleting the log entries. Please let me know if there is anything I should be trying differently.
>
> Output from PKIX ssh-keyscan:
> ./ssh-keyscan -v -p 20022 127.0.0.1
> write (127.0.0.1): Connection reset by peer
> write (127.0.0.1): Connection reset by peer
> write (127.0.0.1): Connection reset by peer
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> write (127.0.0.1): Connection refused
> debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
> debug1: x.509 compatibility rfc6187_missing_key_identifier=yes: pattern 'OpenSSH*' match 'OpenSSH_7.6'
> debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=yes: pattern 'OpenSSH*' match 'OpenSSH_7.6'
> debug1: x.509 compatibility broken list with accepted publickey algorithms=no: pattern '*' match 'OpenSSH_7.6'
> # 127.0.0.1:20022 (x509v3-ecdsa-sha2-nistp256) SSH-2.0-OpenSSH_7.6
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: (no match)
The log shows 12 rejections and one feedback . This match all algorithms 
that PKIX-SSH will try (test).

"Connection reset by peer" could due to



> Output from OpenSSH ssh-keyscan:
> ./ssh-keyscan -v -p 20022 127.0.0.1
> write (127.0.0.1): Connection reset by peer
> write (127.0.0.1): Connection reset by peer
> debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
> # 127.0.0.1:20022 SSH-2.0-OpenSSH_7.6
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ssh-rsa
> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
> debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> [127.0.0.1]:20022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCNpcWy+eB5Yd2z8IEByTw0pI
>
>
>
> Thank you,
> Alex
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info


-- 
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/




More information about the ssh_x509 mailing list