Bug#1103392: marked as done (incorrect signature when ssh'ing to an AIX server (Big Endian) from X86 (Little endian))

[Debian Bug Tracking System]

Your message dated Mon, 21 Apr 2025 18:27:02 +0100
with message-id <aaz_5osdc64ga...@riva.ucam.org>
and subject line Re: Bug#1103392: Info received (Bug#1103392: incorrect 
signature when ssh'ing to an AIX server (Big Endian) from X86 (Little endian))
has caused the Debian Bug report #1103392,
regarding incorrect signature when ssh'ing to an AIX server (Big Endian) from 
X86 (Little endian)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1103392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103392
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openssh-client
Version: 1:10.0p1-2
Severity: important
Tags: upstream
X-Debbugs-Cc: debian-am...@lists.debian.org,
debian-powe...@lists.debian.org
User: debian-am...@lists.debian.org
Usertags: amd64
User: debian-powe...@lists.debian.org
Usertags: ppc64el




-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.13-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8),
LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii adduser 3.150
ii init-system-helpers 1.68
ii libc6 2.41-7
ii libedit2 3.1-20250104-1
ii libfido2-1 1.15.0-1+b1
ii libgssapi-krb5-2 1.21.3-5
ii libselinux1 3.8.1-1
ii libssl3t64 3.5.0-1
ii passwd 1:4.17.4-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1.1

Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-16+b1

-- no debconf information



If I delete the key from the known_hosts I get the additional line just
before the incorrect signature:
debug2: ssh_ed25519_verify: crypto_sign_ed25519_open failed: -1


debug1: OpenSSH_10.0p2 Debian-2, OpenSSL 3.5.0 8 Apr 2025
debug3: Running on Linux 6.12.13-amd64 #1 SMP PREEMPT_DYNAMIC Debian
6.12.13-1 (2025-02-09) x86_64
debug3: Started with: ssh -vvvvvvvvvv SERVERNAME
debug1: Reading configuration data /home/jfp/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 19: Including file
/etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-
ssh-proxy.conf
debug3: /etc/ssh/ssh_config line 19: Including file
/etc/ssh/ssh_config.d/ssh-jfp.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/ssh-jfp.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/jfp/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/jfp/.ssh/known_hosts2'
debug2: resolving "SERVERNAME" port 22
debug3: resolve_host: lookup SERVERNAME:22
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to SERVERNAME [10.160.21.22] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/jfp/.ssh/id_rsa type 0
debug1: identity file /home/jfp/.ssh/id_rsa-cert type -1
debug1: identity file /home/jfp/.ssh/id_ecdsa type -1
debug1: identity file /home/jfp/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/jfp/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/jfp/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/jfp/.ssh/id_ed25519 type 3
debug1: identity file /home/jfp/.ssh/id_ed25519-cert type -1
debug1: identity file /home/jfp/.ssh/id_ed25519_sk type -1
debug1: identity file /home/jfp/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/jfp/.ssh/id_xmss type -1
debug1: identity file /home/jfp/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_10.0p2 Debian-2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.9
debug1: compat_banner: match: OpenSSH_9.9 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to SERVERNAME:22 as 'jpi4319'
debug3: record_hostkey: found key type ECDSA in file
/home/jfp/.ssh/known_hosts:54
debug3: load_hostkeys_file: loaded 1 keys from SERVERNAME
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp256
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: mlkem768x25519-sha256,sntrup761x25519-
sha512,sntrup761x25519-sha...@openssh.com,curve25519-
sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-
sha512,diffie-hellman-group14-sha256,ext-info-
c,kex-strict-c-...@openssh.com
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-
nistp256,ssh-ed25519-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com
,ecdsa-sha2-nistp521-cert-...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com
,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com
,rsa-sha2-256-cert-...@openssh.com,ssh-ed25519,ecdsa-sha2-
nistp384,ecdsa-sha2-
nistp521,sk-ssh-ed25...@openssh.com,sk-ecdsa-sha2-nistp...@openssh.com,
rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1...@openssh.com,aes128-...@openssh.com,aes256-...@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc:
chacha20-poly1...@openssh.com,aes128-...@openssh.com,aes256-...@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com
,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com
,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com
,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com
,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,z...@openssh.com
debug2: compression stoc: none,z...@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-
sha512,sntrup761x25519-sha...@openssh.com,mlkem768x25519-
sha256,curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-
nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-
exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-
sha512,diffie-hellman-group14-sha256,ext-info-
s,kex-strict-s-...@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-
nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-
ctr,chacha20-poly1...@openssh.com,aes128-...@openssh.com,aes256-...@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-
ctr,chacha20-poly1...@openssh.com,aes128-...@openssh.com,aes256-...@openssh.com
debug2: MACs ctos:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com
,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com
,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com
,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com
,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,z...@openssh.com
debug2: compression stoc: none,z...@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: mlkem768x25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:v3CpWA7KYkA/0T/Zz2ogEoDFcng+0zhA7o52ASgQgiQ
debug3: record_hostkey: found key type ECDSA in file
/home/jfp/.ssh/known_hosts:54
debug3: load_hostkeys_file: loaded 1 keys from SERVERNAME
debug1: load_hostkeys: fopen /home/jfp/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'SERVERNAME' is known and matches the ECDSA host key.
debug1: Found key in /home/jfp/.ssh/known_hosts:54
ssh_dispatch_run_fatal: Connection to XX.XX.XX.XX port 22: incorrect
signature

--- End Message ---

--- Begin Message ---

On Sat, Apr 19, 2025 at 08:22:37AM +1200, Jean-Francois Pirus wrote:

It's a known bug in upstream 9.9p1 (ssh-server) fixed in 9.9p2

Yes, looking at the upstream bug it's clear there's nothing more to do here in Debian; the server just needs to be upgraded to have the fix. Closing.

Thanks,

--
Colin Watson (he/him)                              [cjwat...@debian.org]

--- End Message ---