Bug 2605

Summary: ssh-keyscan generates errors in /var/log/secure
Product: Portable OpenSSH Reporter: Tom Horsley <horsley1953>
Component: ssh-keyscanAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm, dtucker, jjelen
Priority: P5    
Version: 6.4p1   
Hardware: Other   
OS: Linux   

Description Tom Horsley 2016-08-18 22:01:10 AEST 
On my host system (centos 7) which has openssh-clients-6.4p1-8.el7.x86_64, if I run ssh-keyscan <target>, where the target system is fedora 24 with openssh-7.2p2-12.fc24.x86_64, then the /var/log/secure file on the target system gets this message:

Aug 18 07:45:29 tomh sshd[17626]: fatal: Unable to negotiate with 10.134.30.124 port 36367: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 [preauth]

It clutters up the log something fierce since I have automated tests running all the time and verifying host keys with ssh-keyscan before trying to ssh into the system.

It is also mysterious as heck, since the ssh-keyscan does in fact work, and subsequent ssh commands work, so it looks like something failed, sends me on a wild goose chase trying to find out what failed, and eventually leads me here to record this as a bug just in case it really is a bug (which I'm not sure of at all).

Any simple way to stop these log messages?
Comment 1 Darren Tucker 2016-08-18 22:04:25 AEST 
The severity of this message was changed in 7.2.  You could either upgrade or backport the patch:

https://anongit.mindrot.org/openssh.git/commit/?id=af1f084857621f14bd9391aba8033d35886c2455
Comment 2 Jakub Jelen 2016-08-19 17:21:58 AEST 
For Fedora 24, I have repo with the latest openssh version packaged:

https://copr.fedoraproject.org/coprs/jjelen/openssh-latest/

It should solve your issue, as pointed out by Darren (note that it was openssh-7.3, which changed the severity).
Comment 3 Darren Tucker 2016-08-23 10:32:38 AEST 
(In reply to Tom Horsley from comment #0)

> It clutters up the log something fierce since I have automated tests
> running all the time and verifying host keys with ssh-keyscan before
> trying to ssh into the system.

What value are you getting from  "verifying host keys with ssh-keyscan before trying to ssh" ?  ssh verifies host keys itself.

(In reply to Jakub Jelen from comment #2)
> It should solve your issue, as pointed out by Darren (note that it
> was openssh-7.3, which changed the severity).

Oops, right it was 7.3 not 7.2.
Comment 4 Tom Horsley 2016-08-23 19:09:06 AEST 
(In reply to Darren Tucker from comment #3)

> What value are you getting from  "verifying host keys with
> ssh-keyscan before trying to ssh" ?  ssh verifies host keys itself.

I meant that I make sure they are valid by setting the host key (so systems that have been regenned and have new host keys don't bring the automated scripts to a screeching halt wanting the answers to silly questions :-).
Comment 5 Damien Miller 2016-10-28 15:06:33 AEDT 
This is already fixed in openssh-7.3
Comment 6 Damien Miller 2021-04-23 14:55:38 AEST 
closing resolved bugs as of 8.6p1 release