SSH2 - signature didn't match with host key

Stars · August 9, 2013, 5:19pm

I am trying to complete ssh2 connection between HP-UX and CoreFTP. The host key authentication fails with signature didn't match. See below output. I can connect to this CoreFTP from my Windows desktop, and connect to a multitude of other servers from the HP-UX system as well, but have encountered this error on this particular connection.

debug: Remote version: SSH-2.0-CoreFTP-0.3.2
debug: Ssh2Transport/trcommon.c:1397: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1462: c_to_s: cipher aes128-cbc, mac hmac-sha1, 
compression none
debug: Ssh2Transport/trcommon.c:1465: s_to_c: cipher aes128-cbc, mac hmac-sha1, 
compression none
debug: SshKeyFile/sshkeyfile.c:362: file /xxxx/xxxx/.ssh2/hostkeys/key_22_70
.109.223.36.pub does not exist.
debug: SshKeyFile/sshkeyfile.c:362: file /etc/ssh2/hostkeys/key_22_11.222.333.44
.pub does not exist.
Host key not found from database.
Key fingerprint:
xonjjj-beaas-cccel-vrrab-cyhyr-fdlab-tbtez-pjkiz-fsryn-licwl-hjxax
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
Host key saved to /xxxx/xxxx/.ssh2/hostkeys/key_22_11.222.333.44.pub
host key for 11.222.333.44, accepted by xxxx Mon Jul 29 2013 14:05:53 -0500
debug: SshProtoTrKex/trkex.c:569: Signature didn't match.
debug: Ssh2Common/sshcommon.c:169: DISCONNECT received: Key exchange failed.
debug: SshReadLine/sshreadline.c:2245: Uninitializing ReadLine...
debug: Ssh2/ssh2.c:685: Returning user input stream to original values.
warning: Authentication failed.
Disconnected; key exchange or algorithm negotiation failed (Key exchange failed.
).
Sftp2/sftp2.c:3965: buffer: 'AUTHENTICATED NO

Has anyone encountered this and have a resolution. Thx.

jim_mcnamara · August 9, 2013, 9:03pm

The problem is in the ./ssh/known_hosts file for the user running the process (the one initiating)

Whenever you contact a host for the first time. ssh protocol asks for verification, then stores the remote key in the above file.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a7:a8:f2:97:94:33:58:b7:9d:bc:e0:a6:6b:f7:0a:29.
Please contact your system administrator.
Add correct host key in /home/your name goes here/.ssh/known_hosts to get rid of this message.
Offending key in /home/[yourname goes here]/.ssh/known_hosts: 6
Permission denied (publickey,password).

You have to remove the key to proceed further. Use the following command to remove the offending key:

# sed  '6d' ~/.ssh/known_hosts > tmp
   mv tmp ~/.ssh/known_hosts
   chmod 600 ~/.ssh/known_hosts

6d is the line number shown in message you get. 6d means delete line 6. The examples are bash/ksh.

Stars · August 12, 2013, 10:44am

Thank you for your reply.
The host key downloads to the hostkeys directory. I can remove it and have it download again upon next connection, but the same "Signature didn't match" issue occurs.