Wind River Support Network


LIN7-6610 : CLONE - wrlinux 5 - openSSH multiple ECDSA keys

Created: Jul 29, 2016    Updated: Sep 8, 2018
Resolved Date: Aug 8, 2016
Previous ID: LIN5-21837
Found In Version:
Fix Version:
Severity: Standard
Applicable for: Wind River Linux 7
Component/s: Userspace


openssh offers the possibility of creating multiple ECDSA keys (ECDSA implementation supports 3 different ECDSA key lengths – they are not compatible between each other).

OpenSSH then offers 3 keys to client but in practice client can use only one of those keys.

Steps to Reproduce

1. configure a wrlinux 5 RCPL35 project based on any BSP, standard kernel/filesystem

2. On server side we create keys with following commands:
/usr/bin/ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_256_key
/usr/bin/ssh-keygen -t ecdsa -b 384 -f /etc/ssh/ssh_host_ecdsa_384_key
/usr/bin/ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_521_key

Then we add following entries in /etc/ssh/sshd_config:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_256_key
HostKey /etc/ssh/ssh_host_ecdsa_384_key
HostKey /etc/ssh/ssh_host_ecdsa_521_key

Then on client in /etc/ssh/ssh_config:
HostKeyAlgorithms ecdsa-sha2-nistp384

When trying to connect from Client to Server using ssh command – Server during negotiation should offer ecdsa_384 key but it offers ecdsa_256 key (first from HostKey list probably) instead.  

Other Downloads

Live chat