[Cyberduck-trac] [Cyberduck] #8173: Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)
Cyberduck
trac at cyberduck.io
Mon Jul 22 10:53:30 UTC 2019
#8173: Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)
----------------------------------+------------------------
Reporter: Codifier | Owner: dkocher
Type: defect | Status: closed
Priority: high | Milestone: 4.5.2
Component: sftp | Version: 4.5
Severity: major | Resolution: fixed
Keywords: host key fingerprint | Architecture: Intel
Platform: Mac OS X 10.6 |
----------------------------------+------------------------
Description changed by dkocher:
Old description:
> When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older
> versions) to an Xubuntu 14.04 box using public key authentication,
> Cyberduck issues the wrong host key fingerprint.
>
> Issuing
> {{{
> for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done
> }}}
> on the command line on the Ubuntu server currently yields:
>
> {{{
> 1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
> 256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
> 2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)
> }}}
>
> Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and
> connecting to this Ubuntu server, Cyberduck currently yields the
> following message (roughly translated from Dutch):
>
> '''Unknown host key for [ip-address]:port'''[[BR]]The system does not
> recognise this host. The host key-fingerprint is
> 58:83:70:ba:84:04:66:c7:5c:f6:82:1d:6f:51:79:f1.
>
> As you can see, the fingerprint does not match any of the earlier
> mentioned host key fingerprints.
>
> Eventhough I'm not a professional system administrator and therefore not
> entirely sure Cyberduck is the culprit, I've tried to verify that
> Cyberduck is ''indeed'' the one issuing the wrong fingerprint, instead of
> the Ubuntu server itself, by connecting to the Ubuntu server with cli
> sftp in terminal from the same Mac. This yields the '''correct''' unknown
> host fingerprint.
>
> Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and
> reconfigured openssh-server, in an earlier test, as well, with:
>
> {{{
> sudo dpkg-reconfigure openssh-server
> }}}
>
> then connected with Cyberduck again to verify that Cyberduck issues a new
> unknown host fingerprint (which also didn't match any of the actual
> fingerprints).
>
> I've viewed system.log in Console.app also, just now, and see the
> possible issue (as these log entries ''do'' mention the correct ECDSA
> fingerprint) in these log messages (hostnames, ip addresses and port
> redacted):
>
> Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]:
> net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE]
> Could not verify `ecdsa-sha2-nistp256` host key with fingerprint
> `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on
> port [port][[BR]]Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR
> net.schmizz.sshj.transport.TransportImpl - Dying because -
> {}\n\nnet.schmizz.sshj.transport.TransportException:
> [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key
> with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for
> `[ip-address]` on port [port]\n at
> net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:206)\n
> at
> net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n
> at
> net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:458)\n
> at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n
> at net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n
> at net.schmizz.sshj.transport.Reader.run(Reader.java:61)
>
> So, with my limited understanding, it appears Cyberduck ''is'' receiving
> the correct fingerprint, but can't verify it yet subsequently still
> issues an unknown host message (with the wrong fingerprint).
>
> Lastly, on accepting this (wrong) unknown host fingerprint, the host is
> not added to my ~/.ssh/known_hosts file either and Cyberduck therefore
> repeatedly issues the same unknown host message.
New description:
When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older
versions) to an Xubuntu 14.04 box using public key authentication,
Cyberduck issues the wrong host key fingerprint.
Issuing
{{{
for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done
}}}
on the command line on the Ubuntu server currently yields:
{{{
1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)
}}}
Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and
connecting to this Ubuntu server, Cyberduck currently yields the following
message (roughly translated from Dutch):
'''Unknown host key for [ip-address]:port'''[[BR]]The system does not
recognise this host. The host key-fingerprint is
58:83:70:ba:84:04:66:c7:5c:f6:82:1d:6f:51:79:f1.
As you can see, the fingerprint does not match any of the earlier
mentioned host key fingerprints.
Eventhough I'm not a professional system administrator and therefore not
entirely sure Cyberduck is the culprit, I've tried to verify that
Cyberduck is ''indeed'' the one issuing the wrong fingerprint, instead of
the Ubuntu server itself, by connecting to the Ubuntu server with cli sftp
in terminal from the same Mac. This yields the '''correct''' unknown host
fingerprint.
Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and
reconfigured openssh-server, in an earlier test, as well, with:
{{{
sudo dpkg-reconfigure openssh-server
}}}
then connected with Cyberduck again to verify that Cyberduck issues a new
unknown host fingerprint (which also didn't match any of the actual
fingerprints).
I've viewed system.log in Console.app also, just now, and see the possible
issue (as these log entries ''do'' mention the correct ECDSA fingerprint)
in these log messages (hostnames, ip addresses and port redacted):
{{{
Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]:
net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE]
Could not verify `ecdsa-sha2-nistp256` host key with fingerprint
`f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on
port [port][[BR]]Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR
net.schmizz.sshj.transport.TransportImpl - Dying because -
{}\n\nnet.schmizz.sshj.transport.TransportException:
[HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key
with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for
`[ip-address]` on port [port]\n at
net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:206)\n
at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n
at
net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:458)\n
at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n at
net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n at
net.schmizz.sshj.transport.Reader.run(Reader.java:61)
}}}
So, with my limited understanding, it appears Cyberduck ''is'' receiving
the correct fingerprint, but can't verify it yet subsequently still issues
an unknown host message (with the wrong fingerprint).
Lastly, on accepting this (wrong) unknown host fingerprint, the host is
not added to my ~/.ssh/known_hosts file either and Cyberduck therefore
repeatedly issues the same unknown host message.
--
--
Ticket URL: <https://trac.cyberduck.io/ticket/8173#comment:8>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list