ssh, keys, and faiing host-key verification

arri

arri

Registered
hoi,

firtst i need to say the situation that i'd like to debug is just a ad-hoc test solution. nothing critical...
but i ran into an unexpected problem i'd like to understand. and probably i'm overlooking something simple/basic.

i wanted to test the nat-setup at my current location and see if port-forwarding was working properly. so from machine A on the local network, i logged into a remote server using ssh, asuming that if port-forwarding on the local nat/router was working properly, i could from there login on machineB on the local network again.

the portforwarding is not at all a problem. network traffic shows there is a successfull connection between machineB and the remote server.
but the problem is that on the server ssh always fails with the 'Host key verification failed' -error.

usually all three machines have keys shared between them, and to i removed those, with no effect.
erased known-hosts, authorized_keys etc.. no effect
regenerated/re-distributed the keypairs, no effect..


the next step would be to generate new host-keys. but since that has a bit more impact (more/other people) i was wondering if it's really needed.
and above all, what is causing this failling verification?

thanks,
arri
 
I don't think you need to generate new host keys at this point. This is how I'd start debugging the problem:

Select 2 machines, we'll call them 'server' and 'client'. On the client, generate a pair of keys without a passphrase:

ssh-keygen -t rsa

Copy id_rsa.pub onto the server and save it as ~/.ssh/authorized_keys

Now on the server start a second instance of sshd on a different port with debugging enabled:

sudo /usr/sbin/sshd -d -d -d -p 2022

Then from the client, issue a connection to this port with debugging enabled:

ssh -v -v -v server -p 2022

The debug output should help point you in the right direction.
 
Also check the ~/.ssh/known_hosts file to see if the hosts are listed in there. If they are, remove those lines, ssh will ask you the next time you connect to add them.
 
thank you for your responses,

i had already deleted the know_hosts-file all together.. (as you can read.. :)
and i just realised macbri's proposed method is actually a very clever way for debugging many situations and programs in general. very nice! stupid i hadn't though of it..
thanks.

i'll give it a go soon when i have some time.

gr
a
 
You must log in or register to reply here.
Back
Top