Wrong host key fingerprint (and not written to ~/.ssh/known_hosts either) #8173
Description
101c5a4 created the issue
When I try to sftp with Cyberduck 4.5.0 - 4.5.2 (haven't tried any older versions) to an Xubuntu 14.04 box using public key authentication, Cyberduck issues the wrong host key fingerprint.
Issuing
for file in /etc/ssh/*sa_key.pub; do ssh-keygen -lf $file; done
on the command line on the Ubuntu server currently yields:
1024 b4:71:14:db:a2:3c:b2:77:ab:b2:1c:4d:56:5b:ad:e4 (DSA)
256 f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be (ECDSA)
2048 63:bd:65:67:f2:77:31:45:ad:00:24:eb:b8:ed:de:d9 (RSA)
Verifying that the file ~/.ssh/known_hosts on my Mac is empty, and connecting to this Ubuntu server, Cyberduck currently yields the following message (roughly translated from Dutch):
-Unknown host key for [ip-address]:port*
The system does not recognise this host. The host key-fingerprint is 58:83:70:ba:84:04:66:c7:5c:f6:82:1d:6f:51:79:f1.
As you can see, the fingerprint does not match any of the earlier mentioned host key fingerprints.
Eventhough I'm not a professional system administrator and therefore not entirely sure Cyberduck is the culprit, I've tried to verify that Cyberduck is indeed the one issuing the wrong fingerprint, instead of the Ubuntu server itself, by connecting to the Ubuntu server with cli sftp in terminal from the same Mac. This yields the correct unknown host fingerprint.
Furthermore, I've deleted all keys in /etc/ssh/ on the Ubuntu server and reconfigured openssh-server, in an earlier test, as well, with:
sudo dpkg-reconfigure openssh-server
then connected with Cyberduck again to verify that Cyberduck issues a new unknown host fingerprint (which also didn't match any of the actual fingerprints).
I've viewed system.log in Console.app also, just now, and see the possible issue (as these log entries do mention the correct ECDSA fingerprint) in these log messages (hostnames, ip addresses and port redacted):
Aug 13 07:55:39 Mac [0x0-0x21021].ch.sudo.cyberduck[341]: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on port [port]<br />Aug 13 07:55:39 Mac Cyberduck[341]: [reader] ERROR net.schmizz.sshj.transport.TransportImpl - Dying because - {}\n\nnet.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ecdsa-sha2-nistp256` host key with fingerprint `f0:2a:ce:00:bf:cc:fe:15:51:32:42:42:7d:f8:08:be` for `[ip-address]` on port [port]\n at net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:206)\n at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:353)\n at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:458)\n at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:107)\n at net.schmizz.sshj.transport.Decoder.received(Decoder.java:175)\n at net.schmizz.sshj.transport.Reader.run(Reader.java:61)
So, with my limited understanding, it appears Cyberduck is receiving the correct fingerprint, but can't verify it yet subsequently still issues an unknown host message (with the wrong fingerprint).
Lastly, on accepting this (wrong) unknown host fingerprint, the host is not added to my ~/.ssh/known_hosts file either and Cyberduck therefore repeatedly issues the same unknown host message.