Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: curl/libssh2 ssh-rsa issue
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: João M. S. Silva via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 13 Jun 2023 15:34:55 +0100
>
> > * Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
>
> "ssh-rsa" uses SHA1. Try removing it from the SSH hostkey type string.
>
I can't, because that's set by curl. Curl sees an RSA SHA2 4096 bit key in
known_hosts which is the one it uses, setting
"rsa-sha2-256,rsa-sha2-512,ssh-rsa".
I changed curl's code before to transform
"rsa-sha2-256,rsa-sha2-512,ssh-rsa" into "rsa-sha2-256,rsa-sha2-512" but it
does not have effect because when libssh2 received it, it would fallback to
ssh-rsa anyway.
But now that is fixed in libssh2. libssh2 now "upgrades" to SHA2 keys and
the connection works.
So part of the problem is solved. The missing part is that I didn't want to
have in the system a build of libssh2 where SHA1 is allowed but I am not
able to configure that during build: either SHA2 is accompanied by SHA1 or
SHA2 does not work alone.
I think I'll have to trace this behavior in libssh2's code to see where in
fact is the decision to not accept SHA2 connections if SHA1 was disabled in
compilation time.
Date: Tue, 13 Jun 2023 15:34:55 +0100
>
> > * Set "rsa-sha2-256,rsa-sha2-512,ssh-rsa" as SSH hostkey type
>
> "ssh-rsa" uses SHA1. Try removing it from the SSH hostkey type string.
>
I can't, because that's set by curl. Curl sees an RSA SHA2 4096 bit key in
known_hosts which is the one it uses, setting
"rsa-sha2-256,rsa-sha2-512,ssh-rsa".
I changed curl's code before to transform
"rsa-sha2-256,rsa-sha2-512,ssh-rsa" into "rsa-sha2-256,rsa-sha2-512" but it
does not have effect because when libssh2 received it, it would fallback to
ssh-rsa anyway.
But now that is fixed in libssh2. libssh2 now "upgrades" to SHA2 keys and
the connection works.
So part of the problem is solved. The missing part is that I didn't want to
have in the system a build of libssh2 where SHA1 is allowed but I am not
able to configure that during build: either SHA2 is accompanied by SHA1 or
SHA2 does not work alone.
I think I'll have to trace this behavior in libssh2's code to see where in
fact is the decision to not accept SHA2 connections if SHA1 was disabled in
compilation time.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-06-13