Hi, On Fri, Jan 9, 2015, at 01:40 PM, Iain Morgan wrote: > So, that indicates that you have a problem with your client setup. Since > you are trying to use ssh from /usr/local/bin, I take it that it is a > local build. As such, some of the files may not be properly located. Yes. Built as ./configure \ --prefix="/usr/local" \ --sysconfdir="/usr/local/etc/ssh" \ --libdir="/usr/local/lib64" \ --with-ssl-dir="/usr/local/ssl" \ --with-md5-passwords \ --with-xauth=/usr/bin/xauth \ --with-pam > You can check the location of the ssh-keysign binary by running strings > on the ssh executable and grep'ing for ssh-keysign. I expect that it > will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid > root. ls -al $( strings `which ssh` | grep ssh-keysign ) -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > You can then run strings on the ssh-keysign executable and grep for > ssh_host ed25519 to confirm the expected location for the host key. Make > sure that the key can be found in the expected location, and that the > public key is world-readable, but that the private key is readable only > by root. strings /usr/local/libexec/ssh-keysign | grep ssh_host | grep ed25519 /usr/local/etc/ssh/ssh_host_ed25519_key That's NOT the name/location of the key. On the client grep Identity /usr/local/etc/ssh/ssh_config IdentityFile /usr/local/etc/ssh/ssh.client.ed25519 and on the server grep HostKey /usr/local/etc/ssh/sshd_config HostKey /usr/local/etc/ssh/ssh.server.ed25519 As reported above client ls -al /usr/local/etc/ssh/ssh.client.ed25519* -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519 -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub server ls -al /usr/local/etc/ssh/ssh.server.ed25519* -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub With pubkey/password these keys work as expected. > Note, if you do not see a reference to ssh_host_ed25519 in the above > strings output, the ssh-keysign executable is from an older distribution > that does not support ED25519. My 'locally installed' openssh is ssh -V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 the distro's ssh -- not used by me, but not removable is /usr/bin/ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1j-fips 15 Oct 2014 > Given that possibility, you might try adding the ECDSA key for the > client to the ssh_known_hosts file on the server. It already is. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev