To fix it

yjdabear · ‎05-22-2007

This is after deleting the previously stored key from

/home/myid/.ssh/known_hosts.

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug2: no key of type 0 for host router1

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts2

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts2

debug3: check_host_in_hostfile: filename /home/myid/.ssh/known_hosts

debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts

debug2: no key of type 2 for host router1

The authenticity of host 'router1 (10.1.5.9)' can't be established.

RSA key fingerprint is 22:e3:6d:c1:12:be:0e:63:4c:77:0c:b5:67:74:c5:ae.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'router1,10.1.5.9' (RSA) to the list of known hosts.

debug2: bits set: 507/1024

RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

debug1: ssh_rsa_verify: signature incorrect

key_verify failed for server_host_key

debug1: Calling cleanup 0x2d2e4(0x0)

There's no hardware change on the Cisco device.

"show cryp key mypubkey rsa" looks fine.

Never mind, turns out no SSH server is running on the router.

Joe Clarke · ‎05-22-2007

Just FYI, when troubleshooting SSH, the first thing I typically do is telnet to TCP port 22 on the target device. This allows me to confirm, first, that SSH is running, and second what protocol version is being used:

1.5 : The device only supports SSHv1

1.99 : The device supports both SSHv1 and SSHv2 (RME will use SSHv2 to communicate with the device)

2.0 : The device only supports SSHv2

yjdabear · ‎05-22-2007

In this case, it's answering on port 22, but "show ssh" indicates there's no SSHv1 or v2 server running.

%No SSHv2 server connections running.

%No SSHv1 server connections running.

lpsnetwork · ‎12-30-2015

The issue : RSA_public_decrypt failed: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
key_verify failed for server_host_key

is related to the cisco router. The RSA key are corrupted and you cannot connect on the router with a ssh client in SSH V2

To fix it

Enable telnet access on the router

enable

conf t
line vty 0 4
logging synchronous
length 0
transport input telnet ssh
line vty 5 15
logging synchronous
transport input telnet ssh
Suppress the RSA key present on the router by the telnet access

enable
conf t
crypto key zeroize
Add a domain name on the router

enable
conf t
ip domain-name XXX.YYY.com
Create a new key RSA pair

enable
conf t
crypto key rsa modulus 2048
Reboot the router

casanavep · ‎12-30-2015

since a router, don't forget a "wr mem"

normanksmith · ‎07-24-2017

I know this is an old post but wanted to add the solution that worked for me.

I attempted @Ipsnetwork Fix, to no avail.

The Fix:

conf t

crypto key generate rsa mod 2048 label <label_name>

ip ssh rsa keypair-name <label_name>

casanavep · ‎07-24-2017

Can you send the output of the following commands:

sh ver | in image

sh ip ssh

(you can skip the RSA key hash area of the "sh ip ssh" output, since you shouldn't share that online.

jinesh.kaiprath · ‎08-27-2019

@normanksmith I had a bit different error but this solution fixed the issue.

crazycatman · ‎07-14-2021

This label technique fixed for us too.

Thanks Norman.

SSH issue

To fix it