1

We are connecting via ssh to a remote host from java with the sshj library. To do so we have configured a single fingerprint that is used during host verification.

After some time we started to get random host key verification errors. Out of multiple ssh connections, only some fails with 

Disconnecting because none of the configured Host key verifiers ([net.schmizz.sshj.transport.verification.FingerprintVerifier$1@1696cbbf]) could verify 'ssh-ed25519' host key with fingerprint ... for ...

As far as I understand this is because the host has multiple keys configured for different algorithms (ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256).

  1. What is the correct approach here, should we add multiple verifiers, one for each known key?
  2. Why is it random? What method is used by ssh/sshj to select the key being used?
Krever
  • 1,371
  • 1
  • 13
  • 32
  • Connecting to remote host - Are you connecting directly to the host or port forwarding involved ? – rootkonda Feb 26 '20 at 08:06
  • No forwarding I know of but the infrastructure is managed by a separate team. Is there an easy way to find out? – Krever Feb 26 '20 at 08:14
  • I will check but you have an insecure option though i.e by setting the stricthostkeychecking=no for ssh. – rootkonda Feb 26 '20 at 10:48
  • There might be a distributed SSH farm behind and each of them returns a different host key? Some of the times the connection is routed to a server from which you don't have the "correct" key. – Jokkeri Apr 30 '20 at 12:11

0 Answers0