On Tue, Nov 8, 2016 at 1:02 PM, Harry Putnam <reader@xxxxxxxxxxx> wrote: [...] > gv harry> ssh -vv 2x > > OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j 26 Sep 2016 this is a third-party modified version of OpenSSH. Can you reproduce the problem with a stock OpenSSH from the source from openssh.com? > debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000 OpenSSH 6.6 has a bug in curve25519-sha256@xxxxxxxxxx, which is the kex method later selected. Quoting the 6.7 release notes: https://www.openssh.com/releasenotes.html#6.7 """ * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@xxxxxxxxxx KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. """ > debug1: kex: host key algorithm: ssh-ed25519 [...] > debug1: Found key in /home/harry/.ssh/known_hosts:2 > debug2: bits set: 4134/8192 > debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1 > ssh_dispatch_run_fatal: Connection to 192.168.1.42 port 22: incorrect signature Maybe the same bug also affects ed25519 as a host key algorithm? If so, setting HostKeyAlgorithms in ssh_config on the client to something that doesn't include ssh-ed25519 might help. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev