# SSH "key_verify failed" probem revisiting

## gt231

Hi all,

I recently have experienced some weird problems with OpenSSH (both 3.4 and 3.5). Now I use the lastest rsynced Gentoo 1.2 with gcc 2.95.3. The OpenSSH 3.5 was built and started without problems and ssh from other hosts to the Gentoo box is OK. However when I tried to ssh from the Gentoo box to other hosts (running both SSH2 3.2.2 and OpenSSH 3.4 & 3.5) I get following errors:

```

debug1: ssh_dss_verify: signature incorrect

key_verify failed for server_host_key

```

I've 2 Gentoo boxes which have exactly the same problem. The complete "ssh -v" output is as follows: The "-vvv" gives almost the same info for the part concerning.

```

user1@host1 user1 $ ssh -2 -v host2

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090608f

debug1: Reading configuration data /home/user1/.ssh/config

debug1: Applying options for *

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to host2 [xxx.xxx.xxx.xxx] port 22.

debug1: Connection established.

debug1: identity file /home/user1/.ssh/id_rsa type 1

debug1: identity file /home/user1/.ssh/id_dsa type 2

debug1: Remote protocol version 1.99, remote software version 3.2.2 SSH Secure Shell (non-commercial)

debug1: no match: 3.2.2 SSH Secure Shell (non-commercial)

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client blowfish-cbc hmac-md5 none

debug1: kex: client->server blowfish-cbc hmac-md5 none

debug1: dh_gen_key: priv key bits set: 121/256

debug1: bits set: 521/1024

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Host 'host2' is known and matches the DSA host key.

debug1: Found key in /home/user1/.ssh/known_hosts:18

debug1: bits set: 516/1024

debug1: ssh_dss_verify: signature incorrect

key_verify failed for server_host_key

debug1: Calling cleanup 0x8068d50(0x0)

```

I did some googling before the post. The problem doesn't seem to be new for Gentoo. The same problem has been posted in this forum and Gentoo-user mailing list before but I've not seen any real solutions:  

https://forums.gentoo.org/viewtopic.php?t=10938&highlight=ssh+keyverify

http://www.elvisdieguez.us/docs/Gentoo/user-mailingList/msg13459.html

Anyone knows what's going on?

----------

## David_Escott

I had success reducing my optimizations for openssl. The other time I just went back to the basic configuration and reconfigured ssh

----------

## gt231

Nice! It works, thanks David! 

I think maybe we should notice the ebuilder of OpenSSL to strip some optimization flags in the ebuild to keep OpenSSH working, and maybe the optimized OpenSSL could even affect something else.

----------

## David_Escott

Except it doesn't seem to always happen. I haven't changed my use variables  since having to do it that one time and haven't had problems. If you want see if you can narrow it down to a specific optimization otherwise just keep in mind that sometimes odd behavior can come from optimizations.

----------

## gt231

I did some experiments with the optimization flags which could affect OpenSSL and find out that the one causing the problem is 

```

-funroll-loops

```

Without this one OpenSSH survives with even quite aggressive optimization. I tried 

```

CFLAGS="-march=i686 -mcpu=i686 -O3 -fforce-addr -fomit-frame-pointer -frerun-cse-after-loop -frerun-loop-opt -malign-functions=4"

```

It works just fine  :Smile: .

----------

## David_Escott

good work now just post a bug report (also i bet a number of those optimizations were redundant for instance march supercedes mcpu)

David

Its always easier when you can get someone else to do your work for you  :wink:

----------

