SFTP rsa-sha2-256, rsa-sha2-512 key exchange issue #10143
Comments
The question is probably what the condition should be for using the updated string? Can we detect its presence in a better way than checking for the libssh2 version? |
|
The string with methods is used in a call to libssh2_session_method_pref() which removes all unsupported methods. |
|
@norbertmm you up for writing a PR for this perhaps? |
|
never done this ... |
As is supported by recent libssh2, but should just be ignored by older versions. Reported-by: norbertmm on github Fixes #10143
|
@norbertmm Is #10145 what you had in mind? I admit I have not really read up on the subtleties involved here. |
|
@bagder Yes, that's right. |
Compiled and linked curl to libssh2 current github master dev branch in order to get rsa-sha2-256 and rsa-sha2-512 server-key-exchange methods.
First SSH server connect works fine, server key gets saved to ssh local keyfile. Subsequent connects failing always because curl offers only "ssh-rsa", not "rsa-sha2-256" and "rsa-sha2-512" anymore, to server.
Could fix the issue with a little change to /lib/vssh/libssh2.c :
In ssh_force_knownhost_key_type()
static const char * const hostkey_method_ssh_rsa = "rsa-sha2-256,rsa-sha2-512,ssh-rsa";instead of
static const char * const hostkey_method_ssh_rsa = "ssh-rsa";This is the debug output when SFTP/SSH connect fails:
* Connected to 10.45.120.110 (10.45.120.110) port 22 (#0)* Found host 10.45.120.110 in my_ssh_known_hosts.txt* Set "ssh-rsa" as SSH hostkey type* Failure establishing ssh session: -5, Unable to exchange encryption keys* Closing connection 0I think as soon a new libssh2 release is available (1.11.0), someone needs to address this issue in order to get rsa-sha2-256 and rsa-sha2-512. The old ssh-rsa (SHA1) is disabled within OpenSSH since version 8.8, 2021-09-26.
The text was updated successfully, but these errors were encountered: