FOTS1370 Host key verification failed. when using FQN

Discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
rjchavez
Posts: 8
Joined: Tue Aug 06, 2019 7:07 am

FOTS1370 Host key verification failed. when using FQN

Post by rjchavez »

We're using Co:Z SFTP v 5..6.0 to connect to an AWS server and receive 'FOTS1370 Host key verification failed.' but only when we use the FQDN of the server. It works fine when we use the hard-coded IP address. Any assistance would be greately appreciated. (FQDN and IP addresses altered for security purposes) Here's the trace:

Code: Select all

Co:Z SFTP version: 5.6.0 (6.4p1) 2019-08-20
Copyright (C) Dovetailed Technologies, LLC. 2008-2019. All rights reserved.
Connecting to awsserver.com...
[05.628] debug3: connect_to_server arg=/bin/ssh
[05.629] debug3: connect_to_server arg=-oForwardX11 no
[05.629] debug3: connect_to_server arg=-oForwardAgent no
[05.629] debug3: connect_to_server arg=-oClearAllForwardings yes
[05.629] debug3: connect_to_server arg=-v
[05.629] debug3: connect_to_server arg=-v
[05.629] debug3: connect_to_server arg=-v
[05.629] debug3: connect_to_server arg=-i
[05.630] debug3: connect_to_server arg=/u/keyuser/.ssh/id_rsa
[05.630] debug3: connect_to_server arg=-obatchmode yes
[05.631] debug3: connect_to_server arg=-l
[05.631] debug3: connect_to_server arg=keyuser
[05.631] debug3: connect_to_server arg=-oProtocol 2
[05.631] debug3: connect_to_server arg=-s
[05.632] debug3: connect_to_server arg=--
[05.632] debug3: connect_to_server arg=awsserver.com
[05.632] debug3: connect_to_server arg=sftp
[05.668] debug2: setting ssh _CEE_RUNOPTS=HEAP(12M,1M,ANYWHERE,FREE),ENVAR("_CEE_REALLOC_CONTROL=256K,25")
OpenSSH_6.4, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /u/myuserid/.ssh/config
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes128-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes192-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes256-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: rijndael-cbc@lysator.liu.se [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: 3des-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes256-gcm@openssh.com [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: aes128-gcm@openssh.com [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: arcfour128 [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: arcfour256 [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: blowfish-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: cast128-cbc [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: cipher ok: arcfour [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /u/myuserid/.ssh/zos_user_ssh_config
debug3: setUseZEDC: 1
debug1: zsshSmfSetConnSmfStatus: SMF status is 0
debug2: ssh_connect: needpriv 0
debug1: Connecting to awsserver.com [10.10.10.10] port 22.
debug1: Connection established.
debug1: cipher_init: none from source OpenSSL, used in non-FIPS mode
debug1: cipher_init: none from source OpenSSL, used in non-FIPS mode
debug1: permanently_set_uid: 0/100
debug3: zsshGetpw: passwd name=myuserid, uid=0, gid=100, dir=/u/myuserid, shell=/bin/sh
debug3: Incorrect RSA1 identifier
debug3: Could not load "/u/keyuser/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /u/keyuser/.ssh/id_rsa type 1
debug1: identity file /u/keyuser/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version AWS_SFTP_1.0
debug1: no match: AWS_SFTP_1.0
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "awsserver.com" from file "/u/myuserid/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "awsserver.com" from file "/etc/ssh/ssh_known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,arcfour
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug1: mac_setup_by_alg: hmac-sha1-etm@openssh.com from source CPACF, used in non-FIPS mode
debug2: mac_setup: found hmac-sha1-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
debug1: mac_setup_by_alg: hmac-sha1-etm@openssh.com from source CPACF, used in non-FIPS mode
debug2: mac_setup: found hmac-sha1-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
debug1: choose_kex: ecdh-sha2-nistp256 from source OpenSSL, used in non-FIPS mode
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA MD5 fp 2d:13:59:2b:d9:15:59:3e:2f:d2:f8:e1:8e:33:c7:a2
debug3: load_hostkeys: loading entries for host "awsserver.com" from file "/u/myuserid/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "awsserver.com" from file "/etc/ssh/ssh_known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "10.10.10.10" from file "/u/myuserid/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /u/myuserid/.ssh/known_hosts:16
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "10.10.10.10" from file "/etc/ssh/ssh_known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat
FOTS1370 Host key verification failed.
debug3: zsshZertSetAttributes(5): SECATTR_IOCTL: 010205000000113c000000001838a720c9c2d440d6978595e2e2c8404040404000000000000000000000000000000000
debug3: zsshZertSetAttributes(5): _SECATTR_SSH_SPEC: 0200c00000000000e2c6e3d7c340404000000000000f00040006000f00040006000100000001000000000000
debug3: zERT SIOCSECATTR failed: EDC5247I Operation not supported. (errno2=0x76647365)
[06.017] Connection closed
rjchavez
Posts: 8
Joined: Tue Aug 06, 2019 7:07 am

Re: FOTS1370 Host key verification failed. when using FQN

Post by rjchavez »

I was able to get it work by copying the hard-coded IP address key entry in /etc/ssh/ssh_known_hosts and editing the IP address to use the FQDN.
rjchavez
Posts: 8
Joined: Tue Aug 06, 2019 7:07 am

Re: FOTS1370 Host key verification failed. when using FQN

Post by rjchavez »

rjchavez wrote: Fri Aug 21, 2020 9:40 am I was able to get it work by copying the hard-coded IP address key entry in /etc/ssh/ssh_known_hosts and editing the IP address to use the FQDN.
PS: There was an entry for the FQDN in the user's known_hosts file with the correct key and it would not accept it. The only differenct was that the key I added to the ssh_known_hosts file included both the FQDN and IP address.
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: FOTS1370 Host key verification failed. when using FQN

Post by dovetail »

Note: host key verification is done by IBM z/OS OpenSSH (Co:Z SFTP starts a /bin/ssh connection for the underlying ssh connection).
The FOTS1370 error message is therefore coming from IBM z/OS OpenSSH (/bin/ssh).

The way that it is supposed to work, the host key verification should succeed if there is any line found in $HOME/.ssh/known_hosts of /etc/ssh/ssh_known_hosts that matches the host name / ip that has the matching key.

from the IBM z/OS OpenSSH User's Guide:
It is thus permissible (but not recommended) to have several lines or different host keys for the same
names. This will happen when short forms of host names from different domains are put in the file. It is
possible that the files contain conflicting information. Authentication is accepted if valid information can
be found from either file.
So, what you are saying seems not to agree with this. To be sure that it is not working correctly, you would need to run the failing case with "-vvv" tracing enabled on the ssh or cozsftp client and look at the trace output to verify what was happening. If there is truly a bug, it would be in IBM z/OS OpenSSH, but we would be happy to help diagnose.
Post Reply