Closed eminence closed 7 years ago
Could you please run the following command on rtr
and attach the output:
ssh-keygen -l -f ~/.ssh/known_hosts -E md5 -F bigbox
?
achin@rtr ~/tmp/06 $ ssh-keygen -l -f ~/.ssh/known_hosts -E md5 -F bigbox
# Host bigbox found: line 29
bigbox ED25519 MD5:44:47:64:19:84:3f:d3:88:f4:3a:69:15:20:c7:5e:45
and here's the same command on bigbox:
achin@bigbox ~ $ ssh-keygen -l -f ~/.ssh/known_hosts -E md5 -F bigbox
# Host bigbox found: line 29
bigbox ECDSA MD5:10:88:b3:2e:53:db:8a:26:72:41:5c:f8:98:fc:98:a6
I see, the problem is that the known key for bixbox registered on rtr is of type ED25519, but we negotiate on ECDSA when setting up the connection. I will try creating a fix so that our client uses the existing key type from known hosts (if exists) as a first preference during cipher suite negotiation.
In the mean time, I think you can resolve the issue by installing bigbox's additional key into rtr's known_hosts file, by running the following on rtr:
ssh -o UpdateHostKeys=yes bixbox
(Note that this is secure, as the additional key is installed after the identity of the remote host is verified using the existing key).
Sorry for the trouble. I appreciate the feedback!
Fixed in 80094e514d4826d4615c89b001966961bc7abe8b: if a key for the host appears in the known_hosts file on the local machine, the type of that key will be used as a first preference in the key exchange.
There are two machines in this scenario: rtr and bigbox.
On rtr:
Then on bigbox, normal ssh works:
But using
sga-ssh
yields this:and here is what
sga-guard
is showing onrtr
:I am confused why this error is appearing because sshing from
rtr
tobigbox
is fine w.t.g host keys: