论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2008-01-07 16:09 |只看该作者 |倒序浏览

今天ssh 登录一台linux主机时出现:

hash mismatch
key_verify failed for server_host_key

复制代码

版本: Linux version 2.6.23.1-42.fc8 64位

文库|博客

ssffzz1

广告杀手

论坛徽章:: 5

2楼 [报告]

发表于 2008-01-07 18:40 |只看该作者

SSH 的HASH字段不匹配。
清除你的家目录下的.ssh目录下相应的KEY文件，然后重新生成即可。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

fire-phoenix

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2008-01-07 21:28 |只看该作者

谢谢楼上的版主.这个操作已经作了还是不行.. 找了好多资料,没有搞定.继续求助..

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

modemTNT

丰衣足食

论坛徽章:: 0

4楼 [报告]

发表于 2008-01-11 14:10 |只看该作者

The configuration follows the key_verify() error,
which
I can't seem to get past.

Oh yea, any plans for this patch to be included in
3.8?

######################
Error - "key_verify failed for server_host_key"
######################
/usr/local/sbin/sshd -ddd
...
debug1: read PEM private key begin
debug1: read X509 certificate done: type RSA+cert
debug1: read PEM private key done: type RSA+cert
debug1: private host key: #0 type 3 RSA+cert
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging
mode.
Connection from 127.0.0.1 port 38500
debug1: Client protocol version 2.0; client software
version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug2: Network child is on pid 19345
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: x509v3-sign-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: x509v3-sign-rsa
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug3: call key_type_from_name(x509v3-sign-rsa) ...
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 2048
8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 1567/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1591/3191
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: ssh_x509_sign: key_type=RSA+cert,
key_ssh_name=x509v3-sign-rsa
debug3: ssh_x509_sign: evp_md { 64(sha1),
65(sha1WithRSAEncryption), 20, ... }
debug3: ssh_x509_sign: return 0
debug3: mm_answer_sign: signature 0x80a1138(279)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
Connection closed by 127.0.0.1
debug1: Calling cleanup 0x8069bfc(0x0)

ssh -vvv
...
debug3: x509key_str2X509NAME: return 1
debug3: x509key_from_subject: return 0x809ad10
debug3: check_host_in_hostfile: match line 1
debug1: Host 'localhost' is known and matches the
RSA+cert host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 1638/3191
debug3: ssh_x509_verify: signature key type =
x509v3-sign-rsa
debug3: ssh_x509_verify: evp_md { 64(sha1),
65(sha1WithRSAEncryption), 20, ... }debug3:
ssh_x509_verify: evp_md { 4(md5),
8(md5WithRSAEncryption), 16, ... }
ssh_x509_verify: verify failed: error:0D09C08F:asn1
encoding routines:d2i_PublicKey:unknown public key
type
debug3: ssh_x509_verify return 0
key_verify failed for server_host_key
debug1: Calling cleanup 0x8060bc0(0x0)

######################
sshd_config - self-signed CA
######################
HostKey <hostkey> # Host
ssh-keygen private + x.509, PEM
AllowedCertPurpose sslclient
CACertificateFile <CA cert file> # CA x.509
only, PEM
CACertificatePath <CA cert dir> # CA hash's
X509rsaSigType=sha1

######################
~/.ssh/config
######################
IdentityFile=~/.ssh/id_rsa # ssh-keygen
-b2048 -trsa
AllowedCertPurpose=sslserver
X509rsaSigType=sha1
CACertificateFile <CA cert file> # CA x.509
only, PEM
CACertificatePath <CA cert dir> # CA hash's
UserCACertificateFile <User cert file> # User
ssh-keygen private + x.509, PEM
UserCACertificatePath <User cert dir> # User hash's

######################
~/.ssh/authorized_keys
######################
(printf 'x509v3-sign-rsa ';openssl x509 -noout
-subject -in <UserCACertificateFile) >>
~/.ssh/authorized_keys

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

--------------------------------------------------------------------------------

Next message: Roumen Petrov: "X.509v3 certificates support in OpenSSH-3.7.1p1"
Previous message: Jonathan.SC.Lau_at_jpmorgan.com: "RE: A quick question on using SSH"
Next in thread: Roumen Petrov: "Re: x.509 & key_verify() error"
Reply: Roumen Petrov: "Re: x.509 & key_verify() error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--------------------------------------------------------------------------------

Featured Product

GFI LANguard Network Security Scanner

Are hackers finding a way into your network?
Identify and repair network vulnerabilities with the #1 vulnerability scanner. Download a FREE trial!

GFI LANguard Network Security Scanner is the #1 Windows commercial security scanner as voted by Nmap users for two years running. It is a solution that allows you to scan, detect, assess and rectify any security vulnerabilities on your network.

Find out more about GFI LANguard and download your FREE 30 day trial today!
--------------------------------------------------------------------------------

Relevant Pages
Unable to get shell prompt after logon
... debug1: Reading configuration data /etc/ssh/ssh_config ... debug1: Entering
interactive session. ... debug2: Network child is on pid 950 ... debug3:
preauth child monitor started ... (SSH)
Problem with some user autentification error on sshd
... debug1: Reading configuration data /etc/ssh/ssh_config ... debug2: kex_parse_kexinit:
none,zlib ... debug3: check_host_in_hostfile: match line 3 ... debug1: Next authentication
method: keyboard-interactive ... (SSH)
ssh works, scp hangs
... debug1: read PEM private key done: type RSA ... debug2: Network child
is on pid 8182 ... debug3: preauth child monitor started ... debug3: mm_request_send
entering: type 0 ... (Debian-User)
Openssh 3.7.1p2 hangs on Solaris 2.6
... debug1: read PEM private key done: type RSA ... debug2: Network child
is on pid 2466 ... debug3: preauth child monitor started ... debug3: mm_request_send
entering: type 0 ... (SSH)
RE: trying to use keys...been asked a bunch, didnt find many solutio ns
... debug1: read PEM private key done: type RSA ... debug3: preauth child
monitor started ... debug2: kex_parse_kexinit: ... debug3: entering: type
0 ... (SSH)
可以参考一下.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 操作系统 › Linux系统管理 › ssh问题.出现 ssh hash mismatch

[网络管理] ssh问题.出现 ssh hash mismatch [复制链接]