Menu

#1448 curl does not use port-number information in known_hosts check

closed-fixed
SSH (1)
5
2015-01-29
2014-11-09
No

Problem

When connect to scp/sftp, curl checks host key with known_hosts file.
But curl does not use port-number information in this check.
Therefore, there are problems at connecting to non-default port (eg. 10022).

Suggested fix

libssh2 has a check method with port number. So you can use it.

--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -543,8 +543,9 @@
       keybit = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
         LIBSSH2_KNOWNHOST_KEY_SSHRSA:LIBSSH2_KNOWNHOST_KEY_SSHDSS;

-      keycheck = libssh2_knownhost_check(sshc->kh,
+      keycheck = libssh2_knownhost_checkp(sshc->kh,
                                          conn->host.name,
+                                         (conn->remote_port != PORT_SSH)?conn->remote_port:-1,
                                          remotekey, keylen,
                                          LIBSSH2_KNOWNHOST_TYPE_PLAIN|
                                          LIBSSH2_KNOWNHOST_KEYENC_RAW|

Example

(Using OpenSSH)
$ ssh -p 10022 ban@localhost cat /tmp/hello.txt
Password:
hello

(Before patching)
$ curl -u ban scp://localhost:10022/tmp/hello.txt
Enter host password for user 'ban':
curl: (51) SSL peer certificate or SSH remote key was not OK

(After patching)
$ ./curl -u ban scp://localhost:10022/tmp/hello.txt
Enter host password for user 'ban':
hello

Version info

I tried latest Debian package.

$ curl -V
curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1j zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2014-11-09

    Thanks, I'll just add some version dependent check for that function since it didn't exist before libssh2 1.2.6 ...

     
  • Daniel Stenberg

    Daniel Stenberg - 2014-11-09
    • labels: --> SSH
    • status: open --> open-confirmed
    • assigned_to: Daniel Stenberg
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-11-09
    • status: open-confirmed --> closed-fixed
     
  • Daniel Stenberg

    Daniel Stenberg - 2014-11-09

    Thanks a lot, pushed as commit 18e1a3022de just now!

     
  • Nobuhiro Ban

    Nobuhiro Ban - 2014-11-10

    I tested daily snapshot 7.39.1-20141110; it works well.
    Thank you for the fix.