Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl/libssh2 ssh-rsa issue
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: João M. S. Silva via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 2 Jun 2023 17:11:18 +0100
I realized -DOPENSSL_NO_RSA=1 disables all of
rsa-sha2-256,rsa-sha2-512,ssh-rsa.
However I now tried in openssl.h:
//#ifdef OPENSSL_NO_RSA
# define LIBSSH2_RSA 1
# define LIBSSH2_RSA_SHA1 0
# define LIBSSH2_RSA_SHA2 1
//#else
//# define LIBSSH2_RSA 1
//# define LIBSSH2_RSA_SHA1 1
//# define LIBSSH2_RSA_SHA2 1
//#endif
but I still get
[libssh2] 0.544712 Key Ex: Agreed on HOSTKEY method: rsa-sha2-256
but then:
[libssh2] 0.556782 Key Ex: Server's SHA1 Fingerprint:
bb:a7:b6:31:cb:b5:65:89:94:7a:dd:5f:e0:f8:d5:dd:b9:20:70:e5
[libssh2] 0.557479 Key Ex: Server's SHA256 Fingerprint:
3/lVMCZ0wyB6DaOgMv4vQRB0SS9u9Lfk7VLAla2HkSM=
[libssh2] 0.557701 Failure Event: unexpected rsa type: ssh-rsa
[libssh2] 0.557964 Failure Event: -10 - Unable to initialize hostkey
importer ECDH
[libssh2] 0.558097 Failure Event: -8 - Unrecoverable error exchanging keys
[libssh2] 0.558234 Failure Event: -8 - Unable to exchange encryption keys
* Failure establishing ssh session: -8, Unable to exchange encryption keys
which seems strange. We should be able to enable SHA2 and not SHA1.
Moreover rsa-sha2-256 was agreed.
If I enable both SHA1 and SHA2 this works, and correctly choses
rsa-sha2-256.
But why doesn't it work with SHA2 only?
Seems like it's because: Failure Event: unexpected rsa type: ssh-rsa
but why? Who is adding ssh-rsa to the list?
João M. S. Silva
On Fri, Jun 2, 2023 at 2:12 PM João M. S. Silva <
joao.m.santos.silva_at_gmail.com> wrote:
> Hi.
>
> I've been recently able to fix the issue with libssh2, which is:
>
> If curl * Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
> libssh2 uses ssh-rsa (not rsa-sha2-256,rsa-sha2-512) and the connection
> fails since the destination does not accept ssh-rsa.
>
> $ grep HostKeyAlgorithms /etc/ssh/sshd_config
> HostKeyAlgorithms
> rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>
> I fixed this building both curl and libssh2 from git master.
>
> But now I was trying the same with the latest releases of both:
>
> wget --no-check-certificate
> https://www.libssh2.org/download/libssh2-1.11.0.tar.xz
> tar xvf libssh2-1.11.0.tar.xz
> cd libssh2-1.11.0
> ./configure CFLAGS="-DOPENSSL_NO_RSA=1 -DOPENSSL_NO_DSA=1
> -DOPENSSL_NO_RC4=1 -DOPENSSL_NO_CAST=1 -DOPENSSL_NO_DES=1
> -DOPENSSL_NO_MD5=1"
> make -j
> sudo find /usr/local > a.txt
> sudo make install
> sudo find /usr/local > b.txt
> diff a.txt b.txt | grep ^\> | cut -f 2 -d ' ' > c.txt
> tar acvf libssh2.tar.xz --files-from=c.txt -P
>
> wget --no-check-certificate https://curl.se/download/curl-8.1.2.tar.xz
> tar xvf curl-8.1.2.tar.xz
> cd curl-8.1.2
> ./configure --enable-ares --with-openssl
> --with-libssh2=/home/shared/libssh2-1.11.0
> make -j
> sudo find /usr/local > a.txt
> sudo make install
> sudo find /usr/local > b.txt
> diff a.txt b.txt | grep ^\> | cut -f 2 -d ' ' > c.txt
> tar acvf curl.tar.xz --files-from=c.txt -P
>
> However, with these builds I cannot fix the issue, I get:
>
> $ curl -vvvvvv -T A sftp://127.0.0.1//home/shared/B -u x:y
> * !!! WARNING !!!
> * This is a debug build of libcurl, do not use in production.
> * STATE: INIT => CONNECT handle 0x55e16c7a5638; line 1951 (connection
> #-5000)
> * Added connection 0. The cache now contains 1 members
> * STATE: CONNECT => CONNECTING handle 0x55e16c7a5638; line 2004
> (connection #0)
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0* Trying 127.0.0.1:22...
> * Connected to 127.0.0.1 (127.0.0.1) port 22 (#0)
> * STATE: CONNECTING => PROTOCONNECT handle 0x55e16c7a5638; line 2112
> (connection #0)
> * User: x
> * Password: y
> * SSH socket: 6
> * SFTP 0x55e16c75da28 state change from SSH_STOP to SSH_INIT
> * Found host 127.0.0.1 in /home/shared/.ssh/known_hosts
> * Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
> * SFTP 0x55e16c75da28 state change from SSH_INIT to SSH_SESSION_FREE
> * SFTP 0x55e16c75da28 state change from SSH_SESSION_FREE to SSH_STOP
> * multi_done: status: 79 prem: 1 done: 0
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> * multi_done, not re-using connection=0, forbid=0, close=1, premature=1,
> conn_multiplex=0
> * The cache now contains 0 members
> * Curl_disconnect(conn #0, dead=1)
> * SSH DISCONNECT starts now
> * SSH DISCONNECT is done
> * Closing connection 0
> * Expire cleared (transfer 0x55e16c7a5638)
> curl: (79) Error in the SSH layer
>
> I have also defined:
>
> lib/vssh/libssh2.c:#define CURL_LIBSSH2_DEBUG
>
> Is there a way, without writing custom code, to make curl/libssh2 output
> the specific reason for failure?
>
> Thanks.
>
> João M. S. Silva
>
Date: Fri, 2 Jun 2023 17:11:18 +0100
I realized -DOPENSSL_NO_RSA=1 disables all of
rsa-sha2-256,rsa-sha2-512,ssh-rsa.
However I now tried in openssl.h:
//#ifdef OPENSSL_NO_RSA
# define LIBSSH2_RSA 1
# define LIBSSH2_RSA_SHA1 0
# define LIBSSH2_RSA_SHA2 1
//#else
//# define LIBSSH2_RSA 1
//# define LIBSSH2_RSA_SHA1 1
//# define LIBSSH2_RSA_SHA2 1
//#endif
but I still get
[libssh2] 0.544712 Key Ex: Agreed on HOSTKEY method: rsa-sha2-256
but then:
[libssh2] 0.556782 Key Ex: Server's SHA1 Fingerprint:
bb:a7:b6:31:cb:b5:65:89:94:7a:dd:5f:e0:f8:d5:dd:b9:20:70:e5
[libssh2] 0.557479 Key Ex: Server's SHA256 Fingerprint:
3/lVMCZ0wyB6DaOgMv4vQRB0SS9u9Lfk7VLAla2HkSM=
[libssh2] 0.557701 Failure Event: unexpected rsa type: ssh-rsa
[libssh2] 0.557964 Failure Event: -10 - Unable to initialize hostkey
importer ECDH
[libssh2] 0.558097 Failure Event: -8 - Unrecoverable error exchanging keys
[libssh2] 0.558234 Failure Event: -8 - Unable to exchange encryption keys
* Failure establishing ssh session: -8, Unable to exchange encryption keys
which seems strange. We should be able to enable SHA2 and not SHA1.
Moreover rsa-sha2-256 was agreed.
If I enable both SHA1 and SHA2 this works, and correctly choses
rsa-sha2-256.
But why doesn't it work with SHA2 only?
Seems like it's because: Failure Event: unexpected rsa type: ssh-rsa
but why? Who is adding ssh-rsa to the list?
João M. S. Silva
On Fri, Jun 2, 2023 at 2:12 PM João M. S. Silva <
joao.m.santos.silva_at_gmail.com> wrote:
> Hi.
>
> I've been recently able to fix the issue with libssh2, which is:
>
> If curl * Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
> libssh2 uses ssh-rsa (not rsa-sha2-256,rsa-sha2-512) and the connection
> fails since the destination does not accept ssh-rsa.
>
> $ grep HostKeyAlgorithms /etc/ssh/sshd_config
> HostKeyAlgorithms
> rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>
> I fixed this building both curl and libssh2 from git master.
>
> But now I was trying the same with the latest releases of both:
>
> wget --no-check-certificate
> https://www.libssh2.org/download/libssh2-1.11.0.tar.xz
> tar xvf libssh2-1.11.0.tar.xz
> cd libssh2-1.11.0
> ./configure CFLAGS="-DOPENSSL_NO_RSA=1 -DOPENSSL_NO_DSA=1
> -DOPENSSL_NO_RC4=1 -DOPENSSL_NO_CAST=1 -DOPENSSL_NO_DES=1
> -DOPENSSL_NO_MD5=1"
> make -j
> sudo find /usr/local > a.txt
> sudo make install
> sudo find /usr/local > b.txt
> diff a.txt b.txt | grep ^\> | cut -f 2 -d ' ' > c.txt
> tar acvf libssh2.tar.xz --files-from=c.txt -P
>
> wget --no-check-certificate https://curl.se/download/curl-8.1.2.tar.xz
> tar xvf curl-8.1.2.tar.xz
> cd curl-8.1.2
> ./configure --enable-ares --with-openssl
> --with-libssh2=/home/shared/libssh2-1.11.0
> make -j
> sudo find /usr/local > a.txt
> sudo make install
> sudo find /usr/local > b.txt
> diff a.txt b.txt | grep ^\> | cut -f 2 -d ' ' > c.txt
> tar acvf curl.tar.xz --files-from=c.txt -P
>
> However, with these builds I cannot fix the issue, I get:
>
> $ curl -vvvvvv -T A sftp://127.0.0.1//home/shared/B -u x:y
> * !!! WARNING !!!
> * This is a debug build of libcurl, do not use in production.
> * STATE: INIT => CONNECT handle 0x55e16c7a5638; line 1951 (connection
> #-5000)
> * Added connection 0. The cache now contains 1 members
> * STATE: CONNECT => CONNECTING handle 0x55e16c7a5638; line 2004
> (connection #0)
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0* Trying 127.0.0.1:22...
> * Connected to 127.0.0.1 (127.0.0.1) port 22 (#0)
> * STATE: CONNECTING => PROTOCONNECT handle 0x55e16c7a5638; line 2112
> (connection #0)
> * User: x
> * Password: y
> * SSH socket: 6
> * SFTP 0x55e16c75da28 state change from SSH_STOP to SSH_INIT
> * Found host 127.0.0.1 in /home/shared/.ssh/known_hosts
> * Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
> * SFTP 0x55e16c75da28 state change from SSH_INIT to SSH_SESSION_FREE
> * SFTP 0x55e16c75da28 state change from SSH_SESSION_FREE to SSH_STOP
> * multi_done: status: 79 prem: 1 done: 0
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> * multi_done, not re-using connection=0, forbid=0, close=1, premature=1,
> conn_multiplex=0
> * The cache now contains 0 members
> * Curl_disconnect(conn #0, dead=1)
> * SSH DISCONNECT starts now
> * SSH DISCONNECT is done
> * Closing connection 0
> * Expire cleared (transfer 0x55e16c7a5638)
> curl: (79) Error in the SSH layer
>
> I have also defined:
>
> lib/vssh/libssh2.c:#define CURL_LIBSSH2_DEBUG
>
> Is there a way, without writing custom code, to make curl/libssh2 output
> the specific reason for failure?
>
> Thanks.
>
> João M. S. Silva
>
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-06-02