For some obscure reason F-Secure's SSH 3.2.0 redirects warnings down the connection stream, so when you do a ssh connect you will have a response like: sshd2[4036]: WARNING: Configuration option SshPAMClientPath is deprecated. sshd2[4036]: WARNING: DNS lookup failed for "1.1.1.1". SSH-2.0-3.2.0 F-SECURE SSH ssh-keyscan, in the function "congreet" only examines the first line for the SSH banner. This is different behaviour to the ssh connect command (which checks all lines in the first 256 bytes) for the SSH banner. Because of this you cannot use ssh-keyscan against hosts running this flavour of SSH unless all of the warnings are cleared. (There may also be a knock on effect to the ssh command if there are a lot of warnings)
I'm not sure if it's intentional on the part of the server, but it seems within the existing protocol spec: (http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-24.txt section 4.2). Looks like ssh and ssh-keyscan ought to read and ignore such lines.
Created attachment 985 [details] Ignore leading junk from the server This patch ignores junk prior to the "SSH-" ident, like we do in the client.
Created attachment 986 [details] Better patch This patch is better - it won't hang on servers that suddenly drop the connection before sending a SSH- ident.
fix applied, will be in openssh-4.3. thanks!
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.