[Cyberduck-trac] [Cyberduck] #8173: Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)

Cyberduck trac at trac.cyberduck.io
Wed Aug 13 07:39:36 UTC 2014

#8173: Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)
    Reporter:  Codifier  |      Owner:  dkocher
        Type:  defect    |     Status:  new
    Priority:  high      |  Milestone:
   Component:  sftp      |    Version:  4.5
    Severity:  major     |   Keywords:  host key fingerprint
Architecture:  Intel     |   Platform:
 When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older
 versions) to an Xubuntu 14.04 box using public key authentication,
 Cyberduck issues the wrong host key fingerprint.

 for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done
 on the command line on the Ubuntu server currently yields:

 1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
 256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
 2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)

 Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and
 connecting to this Ubuntu server, Cyberduck currently yields the following
 message (roughly translated from Dutch):

   '''Unknown host key for [ip-address]:port'''[[BR]]The system does not
 recognise this host. The host key-fingerprint is

 As you can see, the fingerprint does not match any of the earlier
 mentioned host key fingerprints.

 Eventhough I'm not a professional system administrator and therefore not
 entirely sure Cyberduck is the culprit, I've tried to verify that
 Cyberduck is ''indeed'' the one issuing the wrong fingerprint, instead of
 the Ubuntu server itself, by connecting to the Ubuntu server with cli sftp
 in terminal from the same Mac. This yields the '''correct''' unknown host

 Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and
 reconfigured openssh-server, in an earlier test, as well, with:

 sudo dpkg-reconfigure openssh-server

 then connected with Cyberduck again to verify that Cyberduck issues a new
 unknown host fingerprint (which also didn't match any of the actual

 I've viewed system.log in Console.app also, just now, and see the possible
 issue (as these log entries ''do'' mention the correct ECDSA fingerprint)
 in these log messages (hostnames, ip addresses and port redacted):

   Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]:
 net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE]
 Could not verify `ecdsa-sha2-nistp256` host key with fingerprint
 `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on
 port [port][[BR]]Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR
 net.schmizz.sshj.transport.TransportImpl - Dying because -
 [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key
 with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for
 `[ip-address]` on port [port]\n      at
 at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n
 at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n        at
 net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n      at

 So, with my limited understanding, it appears Cyberduck ''is'' receiving
 the correct fingerprint, but can't verify it and subsequently still issues
 an unknown host message (with the wrong fingerprint).

 Lastly, on accepting this (wrong) unknown host fingerprint, the host is
 not added to my ~/.ssh/known_hosts file either and Cyberduck therefore
 repeatedly issues the same unknown host message.

Ticket URL: <https://trac.cyberduck.io/ticket/8173>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list