Knowledge base

Related pages

KB1045 - SSH hostkey mismatch error
Last update: 2007-06-07 10:00:16
Revision: 9
Keywords: product_zorp zorp proxies ssh key error

Applies to: Zorp 3.1.4. and 3.1.5.

Issue

The Zorp SSH proxy terminates all connections to the server. The Zorp log contains the following message: 

SSH hostkey mismatch; fname='/etc/zorp/server_hostkeys/ssh-dss-192.168.1.100:22' 
Error validating server hostkey;

NOTE: This problem occurs only when the hostkey of the server was copied to Zorp manually.

Cause

SSH hostkey files store not only the key, but header and footer information as well. Zorp stores only the hostkey in the key file, without any additional data. If an SSH key is added manually to Zorp's known hosts list, the header and the footer must be removed from the file.

Solution

Verify that all keys stored in the self.server_hostkeys_dir are in the correct format.
Regular SSH key files contain a header, the key itself, and a footer, like in the sample below. 

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAr9UhqkHOsh5/hJKtp6AQn...= root@host

However, Zorp stores only the keys in the file: 

AAAAB3NzaC1yc2EAAAABIwAAAIEAr9UhqkHOsh5/hJKtp6AQn...=

When copying a key file manually into the self.server_hostkeys_dir directory, remove all header and footer information from the file.

Additional information / References

For more information on the Zorp SSH proxy, see the Module Ssh section in the Zorp Reference Guide available at
http://www.balabit.com/dl/html/zorp-reference-guide.html/bk01-toc.html#python.Ssh
For examples on using the SSH proxy, see the Proxying secure channels - SSH Technical Tutorial available at
http://www.balabit.com/support/documentation/

How useful would you rate this content ?

Poor Outstanding
What is your opinion about this article?

back to top

Copyright 2000-2009 BalaBit IT Security
All rights reserved

Bookmark This Corporate blog Security blog