Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either)

[cyberduck]

101c5a4 created the issue

When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older versions) to an Xubuntu 14.04 box using public key authentication, Cyberduck issues the wrong host key fingerprint.

Issuing

for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done

on the command line on the Ubuntu server currently yields:

1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)

Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and connecting to this Ubuntu server, Cyberduck currently yields the following message (roughly translated from Dutch):

-Unknown host key for [ip-address]:port*
The system does not recognise this host. The host key-fingerprint is 58:83:70:ba:84:04:66:c7:5c:f6:82:1d:6f:51:79:f1.

As you can see, the fingerprint does not match any of the earlier mentioned host key fingerprints.

Eventhough I'm not a professional system administrator and therefore not entirely sure Cyberduck is the culprit, I've tried to verify that Cyberduck is indeed the one issuing the wrong fingerprint, instead of the Ubuntu server itself, by connecting to the Ubuntu server with cli sftp in terminal from the same Mac. This yields the correct unknown host fingerprint.

Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and reconfigured openssh-server, in an earlier test, as well, with:

sudo dpkg-reconfigure openssh-server

then connected with Cyberduck again to verify that Cyberduck issues a new unknown host fingerprint (which also didn't match any of the actual fingerprints).

I've viewed system.log in Console.app also, just now, and see the possible issue (as these log entries do mention the correct ECDSA fingerprint) in these log messages (hostnames, ip addresses and port redacted):

  Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on port [port]<br />Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR net.schmizz.sshj.transport.TransportImpl - Dying because - {}\n\nnet.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on port [port]\n	at net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:206)\n	at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n	at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:458)\n	at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n	at net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n	at net.schmizz.sshj.transport.Reader.run(Reader.java:61)

So, with my limited understanding, it appears Cyberduck is receiving the correct fingerprint, but can't verify it yet subsequently still issues an unknown host message (with the wrong fingerprint).

Lastly, on accepting this (wrong) unknown host fingerprint, the host is not added to my ~/.ssh/known_hosts file either and Cyberduck therefore repeatedly issues the same unknown host message.

[cyberduck]

@dkocher commented

What a nice bug report!

[cyberduck]

101c5a4 commented

You're welcome, dkocher!

Wonderful program, this Cyberduck. Although it's a little unorthodox for not having an integrated local browser, it's very rich in its capabilities and completely blows Filezilla out of the water, in terms of usability, imho.

I hope you'll be able to fix this. Good luck!

[cyberduck]

@dkocher commented

Test and fix in 2f9ed9c.

[cyberduck]

@dkocher commented

This bug was introduced in 94fb76a.

[cyberduck]

@dkocher commented

#8175 closed as duplicate.