Reputation: 692
Go SSH Failed with host key mistmach
Enviornment: We execute command on ESX remotely using golang ssh with private key.
Error: SSH connection with go failed with below error, using lib https://pkg.go.dev/golang.org/x/crypto/ssh ssh: handshake failed: ssh: host key mismatch
What changed: Upgraded our ESX version to 7.0.3, which upgrades openssh to 8.8. This version of ssh disabled RSA signature using SHA-1 algorithm. Release: https://www.openssh.com/txt/release-8.8 This release disables RSA signatures using the SHA-1 hash algorithm by default.
Another issue: Golang ssh supports SHA1 by default on the version we were using. https://github.com/golang/go/issues/49952
What I tried:
- Used updated golang version which supports other SHA-2.
- As mentioned workaround by openssh and Broadcom i set below flags in ssh config of ESX which does not work. https://www.openssh.com/txt/release-8.8 https://knowledge.broadcom.com/external/article?legacyId=88055.
HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
What works:
- Checked the keys are correct in .ssh/known_hosts (client) and authorized_keys (server) is same.
- Tried generating public key from private key (ssh-keygen -y -e -f .ssh/id_rsa) which is exactly same as authorized_keys.
- Manual ssh using id_rsa works fine.
- Changing key from ssh-rsa to ecdsa-sha2-nistp521 works fine with go client.
Client ssh config:
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
kexalgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
casignaturealgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Server ssh config:
ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Server ssh logs(/var/log/auth.log):
2024-05-13T04:51:46.823Z sshd[2220706]: FIPS mode initialized 2024-05-13T04:51:46.304Z sshd[2220684]: Connection from port 41440
2024-05-13T04:51:46.313Z sshd[2220684]: Connection closed by port 41440 [preauth]
Upvotes: 1
Views: 156
Answers (1)
Reputation: 4590
ssh: host key mismatch usually means that the client's host key verification failed. You said you checked that the keys
in .ssh/known_hosts (client) and authorized_keys (server) is same.
but they should not be. Can you empty .ssh/known_hosts on the client and then ssh into the host? What shows up afterwards? Does it work then? Also, you need to be sure that the same hostname is used.
Upvotes: 0
Related Questions
- How to specify the private SSH-key to use when executing shell command on Git?
- ssh "permissions are too open"
- How do I remove the passphrase for the SSH key without having to create a new key?
- Jenkins SSH server showing error Algorithm negotiation fail while trying to setup with over the SSH plugin
- Amazon ec2 show "Permission denied (publickey)"