[Cyberduck-trac] [Cyberduck] #8173: Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)

Cyberduck trac at cyberduck.io
Mon Jul 22 10:53:30 UTC 2019


#8173: Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)
----------------------------------+------------------------
 Reporter:  Codifier              |         Owner:  dkocher
     Type:  defect                |        Status:  closed
 Priority:  high                  |     Milestone:  4.5.2
Component:  sftp                  |       Version:  4.5
 Severity:  major                 |    Resolution:  fixed
 Keywords:  host key fingerprint  |  Architecture:  Intel
 Platform:  Mac OS X 10.6         |
----------------------------------+------------------------
Description changed by dkocher:

Old description:

> When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older
> versions) to an Xubuntu 14.04 box using public key authentication,
> Cyberduck issues the wrong host key fingerprint.
>
> Issuing
> {{{
> for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done
> }}}
> on the command line on the Ubuntu server currently yields:
>
> {{{
> 1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
> 256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
> 2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)
> }}}
>
> Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and
> connecting to this Ubuntu server, Cyberduck currently yields the
> following message (roughly translated from Dutch):
>
>   '''Unknown host key for [ip-address]:port'''[[BR]]The system does not
> recognise this host. The host key-fingerprint is
> 58:83:70:ba:84:04:66:c7:5c:f6:82:1d:6f:51:79:f1.
>
> As you can see, the fingerprint does not match any of the earlier
> mentioned host key fingerprints.
>
> Eventhough I'm not a professional system administrator and therefore not
> entirely sure Cyberduck is the culprit, I've tried to verify that
> Cyberduck is ''indeed'' the one issuing the wrong fingerprint, instead of
> the Ubuntu server itself, by connecting to the Ubuntu server with cli
> sftp in terminal from the same Mac. This yields the '''correct''' unknown
> host fingerprint.
>
> Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and
> reconfigured openssh-server, in an earlier test, as well, with:
>
> {{{
> sudo dpkg-reconfigure openssh-server
> }}}
>
> then connected with Cyberduck again to verify that Cyberduck issues a new
> unknown host fingerprint (which also didn't match any of the actual
> fingerprints).
>
> I've viewed system.log in Console.app also, just now, and see the
> possible issue (as these log entries ''do'' mention the correct ECDSA
> fingerprint) in these log messages (hostnames, ip addresses and port
> redacted):
>
>   Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]:
> net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE]
> Could not verify `ecdsa-sha2-nistp256` host key with fingerprint
> `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on
> port [port][[BR]]Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR
> net.schmizz.sshj.transport.TransportImpl - Dying because -
> {}\n\nnet.schmizz.sshj.transport.TransportException:
> [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key
> with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for
> `[ip-address]` on port [port]\n      at
> net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:206)\n
> at
> net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n
> at
> net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:458)\n
> at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n
> at net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n
> at net.schmizz.sshj.transport.Reader.run(Reader.java:61)
>
> So, with my limited understanding, it appears Cyberduck ''is'' receiving
> the correct fingerprint, but can't verify it yet subsequently still
> issues an unknown host message (with the wrong fingerprint).
>
> Lastly, on accepting this (wrong) unknown host fingerprint, the host is
> not added to my ~/.ssh/known_hosts file either and Cyberduck therefore
> repeatedly issues the same unknown host message.

New description:

 When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older
 versions) to an Xubuntu 14.04 box using public key authentication,
 Cyberduck issues the wrong host key fingerprint.

 Issuing
 {{{
 for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done
 }}}
 on the command line on the Ubuntu server currently yields:

 {{{
 1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
 256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
 2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)
 }}}

 Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and
 connecting to this Ubuntu server, Cyberduck currently yields the following
 message (roughly translated from Dutch):

   '''Unknown host key for [ip-address]:port'''[[BR]]The system does not
 recognise this host. The host key-fingerprint is
 58:83:70:ba:84:04:66:c7:5c:f6:82:1d:6f:51:79:f1.

 As you can see, the fingerprint does not match any of the earlier
 mentioned host key fingerprints.

 Eventhough I'm not a professional system administrator and therefore not
 entirely sure Cyberduck is the culprit, I've tried to verify that
 Cyberduck is ''indeed'' the one issuing the wrong fingerprint, instead of
 the Ubuntu server itself, by connecting to the Ubuntu server with cli sftp
 in terminal from the same Mac. This yields the '''correct''' unknown host
 fingerprint.

 Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and
 reconfigured openssh-server, in an earlier test, as well, with:

 {{{
 sudo dpkg-reconfigure openssh-server
 }}}

 then connected with Cyberduck again to verify that Cyberduck issues a new
 unknown host fingerprint (which also didn't match any of the actual
 fingerprints).

 I've viewed system.log in Console.app also, just now, and see the possible
 issue (as these log entries ''do'' mention the correct ECDSA fingerprint)
 in these log messages (hostnames, ip addresses and port redacted):


 {{{
   Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]:
 net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE]
 Could not verify `ecdsa-sha2-nistp256` host key with fingerprint
 `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on
 port [port][[BR]]Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR
 net.schmizz.sshj.transport.TransportImpl - Dying because -
 {}\n\nnet.schmizz.sshj.transport.TransportException:
 [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key
 with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for
 `[ip-address]` on port [port]\n      at
 net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:206)\n
 at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n
 at
 net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:458)\n
 at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n        at
 net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n      at
 net.schmizz.sshj.transport.Reader.run(Reader.java:61)

 }}}

 So, with my limited understanding, it appears Cyberduck ''is'' receiving
 the correct fingerprint, but can't verify it yet subsequently still issues
 an unknown host message (with the wrong fingerprint).

 Lastly, on accepting this (wrong) unknown host fingerprint, the host is
 not added to my ~/.ssh/known_hosts file either and Cyberduck therefore
 repeatedly issues the same unknown host message.

--

--
Ticket URL: <https://trac.cyberduck.io/ticket/8173#comment:8>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows


More information about the Cyberduck-trac mailing list