HPE Community
Operating System - HP-UX
1823143 Members
3531 Online
109647 Solutions
New Discussion юеВ

ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

 
SOLVED
Go to solution
Manjunath_7
New Member

тАО07-07-2005 01:00 PM

тАО07-07-2005 01:00 PM

ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

Hi guys,

I am running Openssh 3.81 on a hpux server(tried on 11.00 and 11i) and trying ssh to another server(11.00 and 11i) with F-secure 1.3.7. First time it connects and populates the known_hosts file. But with a weird data and from then on it fails reporting "Host key verification failed". I have attached the error msgs and other relevant info. Am I missing something in the config file?
0 Kudos
Reply
10 REPLIES 10
D Block 2
Respected Contributor

тАО07-07-2005 04:56 PM

тАО07-07-2005 04:56 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

I wonder if something or someone changed the key pair on you.

how about trying to start a fresh by removing the file "known_hosts".

your doc shows a message:
Add correct host key in /.ssh/known_hosts to get rid of this message.
Golf is a Good Walk Spoiled, Mark Twain.
0 Kudos
Reply
Manjunath_7
New Member

тАО07-07-2005 05:16 PM

тАО07-07-2005 05:16 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

Hi Tom,

I have removed the known_hosts file and did tried several times. After its removed it works first time and populates the known_hosts file(with that weird data) and then it fails again with "Host key verification failed"

Best Regards,
Manjunath
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО07-07-2005 06:55 PM

тАО07-07-2005 06:55 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

This is likely to be some incompatibility between openssh and f-secure ssh. Why not move to openssh alltogether?
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО07-08-2005 06:25 PM

тАО07-08-2005 06:25 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

OpenSSH 3.81 can use SSH protocol versions 1 and 2, and by default it prefers version 2.

F-secure SSH 1.3.7... isn't that rather old?
(We're using mostly OpenSSH, but I'm familiar with ssh.com's product too. I've completely lost track of F-secure SSH version numbering.)

Try adding the option "-1" to your ssh command. Maybe the F-Secure SSH is so old it does not understand SSH protocol 2 and gets confused when OpenSSH tries it first.

If it actually is that old (ssh protocol 1 has some known weaknesses), I'd strongly recommend to upgrade it.
MK
0 Kudos
Reply
Manjunath_7
New Member

тАО07-11-2005 11:55 AM

тАО07-11-2005 11:55 AM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

Ermin,

Thats the idea. To move all the servers to Openssh. We got some 40 odd servers. And we can't move all at same time. So we need openssh 3.81 to communicate with F-Secure 1.3.7, while we are trying to upgrade.

Matti,

F-Secure 1.3.7 uses protocol 1. Thats why we always use -1 when trying to communicate between Openssh to F-Secure. Please find the attachment in my first post.

It doesn't look like a problem with F-Secure. It happily communicates with another server with F-secure and openssh. Its just the openssh 3.8.1 has problem communicating with 1.3.7.

Anyone has come across this issue before and have any resolution? Your help will be much appreciated. Thank you
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

тАО07-11-2005 02:22 PM

тАО07-11-2005 02:22 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

HP SSH 3.8 had some problems with protocol 1 keys. Once we upgraded to higher version the problem was solved.

A protocol 1 key should look like
"
1024 35 123473356858322757737206667861297594806779288170073394967352752118175381117124525997313420790408564744708238999991070886796997829994047201889047971200352170839538593457012658671817160030764478534339493710533876599919102289545592926922719322305418388799659830059828818562122396087836789385008295552403910964603"

But the key format is different in your case.

Try to upgrade your HP SSH ( current version is 4.0 ) for more information refer HP Secure Shell release notes

0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО07-11-2005 03:24 PM

тАО07-11-2005 03:24 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

Just in case new version of openssh doesn't fix the problem have a look at

http://www.openssh.com/faq.html#2.5

*** START ***
2.5 - Old versions of commercial SSH encrypt host keys with IDEA.

The old versions of SSH used a patented algorithm to encrypt their /etc/ssh/ssh_host_key. This problem will manifest as sshd(8) not being able to read its host key. To solve this, use the command below to convert your ssh_host_key to use 3DES. NOTE: Use the ssh-keygen(1) program from the Commercial SSH product, *NOT* OpenSSH for the example below.

# ssh-keygen -u -f /etc/ssh/ssh_host_key

*** END ***

Not sure if this applies to your installation but it's possible that ssh host key on the F-Secure ssh server host was encrypted using IDEA algorithm which openssh doesn't support.

ssh-keygen command provided above is supposed to re-encrypt host key using 3DES algorithm. Please run this command on the F-Secure ssh server host.
0 Kudos
Reply
Manjunath_7
New Member

тАО07-12-2005 01:43 PM

тАО07-12-2005 01:43 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

Ermin,

Thank you for the suggestion. I tried it out, but still got the same error.

I ran the ssh-keygen on the ssh server(running F-Secure). And then tried the ssh command from the client and end up having the same prob. I tried a few other possibilities of removing the known_hosts file from the client and moving the ssh_host_key from the server as well. But nothing worked.

The only work around that worked was, I had another server which was running Openssh 3.71, which seems to have no probs communicating with F-secure. I ftp the known_hosts file from that server to this and it started working. But its practically very difficult to do this for several users on the SSH client, given there are several servers to be done.

Any more thoughts?

Best Regards,
Manjunath
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО07-12-2005 02:07 PM

тАО07-12-2005 02:07 PM

Solution

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

known_hosts file can be configured in the global location (such as /opt/openssh/etc/ssh_known_hosts) in addition to $HOME/.ssh/known_hosts. ssh will first check global known_hosts file and then user known_hosts file. So you could put the keys for F-Secure hosts in /opt/openssh/etc/ssh_known_hosts.
Reply
Manjunath_7
New Member

тАО07-18-2005 04:03 PM

тАО07-18-2005 04:03 PM

Re: ssh - host key verification failed from Openssh 3.81 to F-secure 1.3.7

Thanks to all who respond. Special thanks to Ermin.

Ermin, your suggestion to add the keys to /opt/ssh/etc/ssh_known_hosts worked. We should first remove the key in known_hosts file(if already created before). The order is the user known_hosts file and then the server ssh_known_hosts file. If the user known_hosts file is empty then it goes ahead and checks the server ssh_known_hosts file. Thanks heaps again.

Ta,
Manjunath
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.