[ssh_x509] Problems running keyscan

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed May 30 19:42:16 EEST 2018


Hi Alex ,

I  press [send] instead to [save], so my message left incomplete.
ssh_x509 at roumenpetrov.info wrote:
> [SNIP]
>
>
>>
>> I also noticed that when I run make tests LTESTS=keyscan, the sshd 
>> log will show the same negotiation failure if I prevent the script 
>> from deleting the log entries. Please let me know if there is 
>> anything I should be trying differently.
>>
>> Output from PKIX ssh-keyscan:
>> ./ssh-keyscan -v -p 20022 127.0.0.1
>> write (127.0.0.1): Connection reset by peer
>> write (127.0.0.1): Connection reset by peer
>> write (127.0.0.1): Connection reset by peer
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> write (127.0.0.1): Connection refused
>> debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
>> debug1: x.509 compatibility rfc6187_missing_key_identifier=yes: 
>> pattern 'OpenSSH*' match 'OpenSSH_7.6'
>> debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=yes: 
>> pattern 'OpenSSH*' match 'OpenSSH_7.6'
>> debug1: x.509 compatibility broken list with accepted publickey 
>> algorithms=no: pattern '*' match 'OpenSSH_7.6'
>> # 127.0.0.1:20022 (x509v3-ecdsa-sha2-nistp256) SSH-2.0-OpenSSH_7.6
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: algorithm: curve25519-sha256
>> debug1: kex: host key algorithm: (no match)
> The log shows 12 rejections and one feedback . This match all 
> algorithms that PKIX-SSH will try (test).
>
> "Connection reset by peer" could due to
Let me continue ..
firewall settings

, while "connection refused" should be due to server option MaxStartups.

There is no plan to increase default values .
It is to restrictive for computer power today, but for home server 
should be enough.


> Output from OpenSSH ssh-keyscan:
>> ./ssh-keyscan -v -p 20022 127.0.0.1
>> write (127.0.0.1): Connection reset by peer
>> write (127.0.0.1): Connection reset by peer
>> debug1: match: OpenSSH_7.6 pat OpenSSH* compat 0x04000000
>> # 127.0.0.1:20022 SSH-2.0-OpenSSH_7.6
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: algorithm: curve25519-sha256
>> debug1: kex: host key algorithm: ssh-rsa
>> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com 
>> MAC: <implicit> compression: none
>> debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com 
>> MAC: <implicit> compression: none
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> [127.0.0.1]:20022 ssh-rsa 
>> AAAAB3NzaC1yc2EAAAADAQABAAABAQCNpcWy+eB5Yd2z8IEByTw0pI
>>
As is visible this program tests only for 3 host key algorithms. Two 
resets and one success.



Solutions is code of keyscan to be changed from asynchronous to 
synchronous more with only one active connection. For now this is with 
low priority.


Work around is shell scripts that loop on algorithms and calls 
ssh-keyscan with only one algorithm using -t argument .

I hope that above could help you to resolve issue.


>>
>> Thank you,
>> Alex 

Regards,
Roumen Petrov




More information about the ssh_x509 mailing list