Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl with SFTP fails to verify ECDSA keys present in known hosts files #5252

Closed
ansasaki opened this issue Apr 17, 2020 · 0 comments
Closed

curl with SFTP fails to verify ECDSA keys present in known hosts files #5252

ansasaki opened this issue Apr 17, 2020 · 0 comments
Labels
SCP/SFTP

Comments

@ansasaki
Copy link
Contributor

Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=1824926

When the server uses an ECDSA key, curl fails to verify it's entry in the known hosts file when accessing using SFTP.

Using RSA, ED25519, or DSA keys no error is generated and the download is successful.

I did this

In Fedora 32, using curl-7.69.1-1.fc32.x86_64

  1. Create an ECDSA key pair for the SSH server:
# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
  1. Authorize the user key to access the SSH server (assuming the user has an RSA key):
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  1. Add the entry to the known_hosts file
$ echo 'localhost $(cat "/etc/ssh/ssh_host_ecdsa_key.pub")' >> ~/.ssh/known_hosts
  1. Create a file to download:
$ dd if=/dev/zero of=~/testfile bs=1M count=1
  1. Restart SSH server
$ systemctl restart sshd
  1. Download using curl and SFTP
$ curl -o ./sftp_file -u testuser: --key ~/.ssh/id_rsa \
  --pubkey ~/.ssh/id_rsa.pub sftp://localhost/home/$(whoami)/testfile

Then I get the following error:

curl: (60) SSL peer certificate or SSH remote key was not OK

I expected the following

No errors and the file is successfully downloaded

curl/libcurl version

[curl -V output]

curl 7.69.1 (x86_64-redhat-linux-gnu) libcurl/7.69.1 OpenSSL/1.1.1d-fips zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0
Release-Date: 2020-03-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

operating system

Linux fedora32 5.6.2-301.fc32.x86_64 #1 SMP Tue Apr 7 18:23:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SCP/SFTP
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

libssh: Use new ECDSA key types to check known hosts ansasaki/curl
2 participants
@jay @ansasaki