# ssh, keys, and faiing host-key verification



## arri (Feb 1, 2008)

hoi,

firtst i need to say the situation that i'd like to debug is just a ad-hoc test solution. nothing critical...
but i ran into an unexpected problem i'd like to understand. and probably i'm overlooking something simple/basic.

i wanted to test the nat-setup at my current location and see if port-forwarding was working properly. so from machine A on the local network, i logged into a remote server using ssh, asuming that if port-forwarding on the local nat/router was working properly, i could from there login on machineB on the local network again.

the portforwarding is not at all a problem. network traffic shows there is a successfull connection between machineB and the remote server.
but the problem is that on the server ssh always fails with the 'Host key verification failed' -error.

usually all three machines have keys shared between them, and to i removed those, with no effect. 
erased known-hosts, authorized_keys etc.. no effect
regenerated/re-distributed the keypairs, no effect..


the next step would be to generate new host-keys. but since that has a bit more impact (more/other people) i was wondering if it's really needed.
and above all, what is causing this failling verification?

thanks,
arri


----------



## macbri (Feb 2, 2008)

I don't think you need to generate new host keys at this point.  This is how I'd start debugging the problem:

Select 2 machines, we'll call them 'server' and 'client'.  On the client, generate a pair of keys without a passphrase:

ssh-keygen -t rsa

Copy id_rsa.pub onto the server and save it as ~/.ssh/authorized_keys

Now on the server start a second instance of sshd on a different port with debugging enabled:

sudo /usr/sbin/sshd -d -d -d -p 2022

Then from the client, issue a connection to this port with debugging enabled:

ssh -v -v -v server -p 2022

The debug output should help point you in the right direction.


----------



## btoneill (Feb 2, 2008)

Also check the ~/.ssh/known_hosts file to see if the hosts are listed in there. If they are, remove those lines, ssh will ask you the next time you connect to add them.


----------



## arri (Feb 2, 2008)

thank you for your responses,

i had already deleted the know_hosts-file all together.. (as you can read.. 
and i just realised macbri's proposed method is actually a very clever way for debugging many situations and programs in general. very nice! stupid i hadn't though of it..
thanks.

i'll give it a go soon when i have some time.

gr
a


----------

