Re: PuTTY failing "Server's host key did not match the signature supplied" suddenly



On Mar 11, 9:44 am, comph...@xxxxxxxxx (Todd H.) wrote:
Raymond <rpa...@xxxxxxxxx> writes:
Ok, this is what I get:

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
2048 4b:22:b7:31:73:66:64:07:c5:2d:51:3e:69:82:9e:53 /etc/ssh/
ssh_host_rsa_key.pub
# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024 fb:23:96:4f:96:fa:ca:3a:d1:a2:d3:69:96:a0:7c:1e /etc/ssh/
ssh_host_dsa_key.pub

Don't need to be root to do these typically, fwiw.   What machine did
you run this on?  


On the server console itself.

switch to a normal user:
$ ssh mydomainname.com
The authenticity of host 'mydomainname.com (00.000.000.000)' can't be
established.
RSA key fingerprint is 4b:22:b7:31:73:66:64:07:c5:2d:51:3e:69:82:9e:
53.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mydomainname.com,00.000.000.000' (RSA) to
the list of known hosts.
hash mismatch
key_verify failed for server_host_key

Okay.   Redo that with  the -v switch    and post here.   -v  is for
verbose and will tell you far more detail as to where exactly it's
failing.

And where was this done from?

On the same server itself too. I had replaced the actual domain name
and IP Address with the dummy "mydomainname.com" for privacy.

This is what I get with the -v flag:

$ ssh -v localhost
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/xxxx/.ssh/identity type -1
debug1: identity file /home/xxxx/.ssh/id_rsa type 1
debug1: identity file /home/xxxx/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/xxxx/.ssh/known_hosts:2
hash mismatch
debug1: ssh_rsa_verify: signature incorrect
key_verify failed for server_host_key


$ ssh -v localhost
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/xxxx/.ssh/identity type -1
debug1: identity file /home/xxxx/.ssh/id_rsa type 1
debug1: identity file /home/xxxx/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/xxxx/.ssh/known_hosts:2
RSA_public_decrypt failed: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
debug1: ssh_rsa_verify: signature incorrect
key_verify failed for server_host_key

I had replace the actual username with "xxxx" for privacy.

$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 4b:22:b7:31:73:66:64:07:c5:2d:51:3e:69:82:9e:
53.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known
hosts.
hash mismatch
key_verify failed for server_host_key

Was this done from the perspective of your domain?

The strange thing is, if I tried hard enough, retrying the connection
repeatedly, it will sometimes get connected.
Both openssh client and PuTTY exhibit the same problem. I would think
that the problem lies with openssh server then.

Any load balancing going on that you might not be aware of?  

Nope. No load balancing, only 1 server.


How do I troubleshoot this kind of problem? Any logs that I can
watch?

/var/log/messages  perhaps, depending on the logging level
Wherever /etc/syslog.conf points all stuff to.  

--
Todd H.http://www.toddh.net/
.



Relevant Pages