Bug 3299

Summary: Fails to verify ED25519 server key
Product: Portable OpenSSH Reporter: bvoigt
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: normal    
Priority: P5    
Version: 8.5p1   
Hardware: amd64   
OS: Linux   

Description bvoigt 2021-04-16 00:11:39 AEST 
It suddenly fails to connect to my server:


debug1: Host '[gerrit01.buchhandlung.de]:29418' is known and matches the ED25519 host key.
debug1: Found key in /home/bvoigt/.ssh/known_hosts:1
debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1
ssh_dispatch_run_fatal: Connection to 10.10.17.160 port 29418: incorrect signature


I have absolutely no idea what causes this misbehaviour, and Google does not know about it seemingly.

I have tried the following already:

- regenerated SSH key pair and reupload public key to the gerrit server
- delete ~/.ssh/known_hosts
- rebooted the client machine several times


After deleting ~/.ssh/known_hosts the debug output looks like this:

The authenticity of host '[gerrit01.buchhandlung.de]:29418 ([10.10.17.160]:29418)' can't be established.
ED25519 key fingerprint is SHA256:KA/Q41ad8fdDtDJFQIhkLzYgIoKMluW1JkFs6dOrJ/o.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[gerrit01.buchhandlung.de]:29418' (ED25519) to the list of known hosts.
debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1
ssh_dispatch_run_fatal: Connection to 10.10.17.160 port 29418: incorrect signature
Comment 1 bvoigt 2021-04-16 00:13:24 AEST 
From a different laptop running the same OpenSSH and OpenSSL version I can still access the server.
Comment 2 Damien Miller 2021-04-23 14:56:59 AEST 
closing resolved bugs as of 8.6p1 release