Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
issues with CURL using RSA keys + SFTP
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ian Veach via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 14 Feb 2025 00:08:15 +0000
The nutshell: We get an "authentication failure" when using curl and sftp with RSA keys. We don't know why, and debug/verbose/trace don't reveal anything useful, but we don't think it's an authentication failure due to user/keys/access. Source is AIX 7.2 system running curl, destination is a RHEL9 system running DEFAULT cryptopolicy (which doesn't allow SHA1 signing, but does use SHA1 MAC and RSA keys). In testing, used same source and destination servers:
- fails: curl + sftp + rsa keys
- works: scp or sftp + same rsa keys as above (i.e. Keys ok, network ok, access allowance ok)
- works: curl + sftp + rsa keys, but turning on SHA1 in cryptopolicy on destination (i.e. seems to be SHA1 related)
- works: curl + sftp + ed25519 keys (i.e. curl+sftp ok, access allowance ok)
Given above, we think our issue seems to be using curl+sftp+no-SHA1 signing specifically, but not why/how. However, the curl is pretty modern and should (I assume) be using sha256 or sha512 for signing. I think somehow it's reverting to sha1 internally/compat, but not sure how to verify that. More background:
The curl is IBM provided through AIX Toolbox. Although not current 8.12.1, it's as recent as we can get from them that is supported / without compiling:
$ curl --version
curl 8.6.0 (powerpc-ibm-aix7.1.5.0) libcurl/8.6.0 OpenSSL/1.1.1v zlib/1.2.13 libssh2/1.10.0 nghttp2/1.58.0 OpenLDAP/2.5.16
Release-Date: 2024-01-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe UnixSockets
We could perhaps compile if we absolutely have to, but interactions with Peoplesoft and... oracle cruft.... make that a bit difficult/dangerous.
Actual runs:
[user_at_aixsource:~/test]$ # failing curl + sftp + rsa keys
[user_at_aixsource:~/test]$ curl --trace file -u remoteuser: --key $keydir/rsa --pubkey $keydir/rsa.pub -T foo \
sftp://rhel9server.foo.com:/tmp/bar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (67) Authentication failure
[user_at_aixsource:~/test]$ # scp with same keys works
[user_at_aixsource:~/test]$ scp -s -i $keydir/rsa foo remoteuser_at_rhel9server.foo.com:/tmp/bar
SSH is not allowed for i2i accounts. Only scp and sftp will be able to continue.
foo 100% 0 0.0KB/s 00:00
[user_at_aixsource:~/test]$ # same curl as above, but using ed25519 keys, works
[user_at_aixsource:~/test]$ curl --trace file -u remoteuser: --key $keydir/ed25519 --pubkey $keydir/ed25519.pub -T foo \
sftp://rhel9server.foo.com:/tmp/bar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
[user_at_aixsource:~/test]$ # scp with ed25519 keys works
[user_at_aixsource:~/test]$ scp -s -i $keydir/ed25519 foo remoteuser_at_rhel9server.foo.com:/tmp/bar
SSH is not allowed for i2i accounts. Only scp and sftp will be able to continue.
foo 100% 0 0.0KB/s 00:00
Tracefile:
== Info: Host rhel9server.foo.com:22 was resolved.
== Info: IPv6: (none)
== Info: IPv4: 10.10.10.1
== Info: Trying 10.10.10.1:22...
== Info: Connected to rhel9server.foo.com (10.10.10.1) port 22
== Info: Found host rhel9server.foo.com in /home/localuser/.ssh/known_hosts
== Info: Set "ecdsa-sha2-nistp256" as SSH hostkey type
== Info: SSH MD5 public key: NULL
== Info: SSH SHA256 public key: NULL
== Info: SSH host check: 0, key: KEYREDACTED
== Info: SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
== Info: Using SSH public key file '/home/localuser/test/rsa.pub'
== Info: Using SSH private key file '/home/localuser/test/rsa'
== Info: SSH public key authentication failed: Invalid signature for supplied public key, or bad username/public key combination
== Info: Failure connecting to agent
== Info: Authentication failure
== Info: Closing connection
So... anyone have ideas (other than perhaps recompiling newer source... our last resort)?
Thanks!
Ian
PUBLIC RECORDS NOTICE: In accordance with NRS Chapter 239, this email and responses, unless otherwise made confidential by law, may be subject to the Nevada Public Records laws and may be disclosed to the public upon request.
Date: Fri, 14 Feb 2025 00:08:15 +0000
The nutshell: We get an "authentication failure" when using curl and sftp with RSA keys. We don't know why, and debug/verbose/trace don't reveal anything useful, but we don't think it's an authentication failure due to user/keys/access. Source is AIX 7.2 system running curl, destination is a RHEL9 system running DEFAULT cryptopolicy (which doesn't allow SHA1 signing, but does use SHA1 MAC and RSA keys). In testing, used same source and destination servers:
- fails: curl + sftp + rsa keys
- works: scp or sftp + same rsa keys as above (i.e. Keys ok, network ok, access allowance ok)
- works: curl + sftp + rsa keys, but turning on SHA1 in cryptopolicy on destination (i.e. seems to be SHA1 related)
- works: curl + sftp + ed25519 keys (i.e. curl+sftp ok, access allowance ok)
Given above, we think our issue seems to be using curl+sftp+no-SHA1 signing specifically, but not why/how. However, the curl is pretty modern and should (I assume) be using sha256 or sha512 for signing. I think somehow it's reverting to sha1 internally/compat, but not sure how to verify that. More background:
The curl is IBM provided through AIX Toolbox. Although not current 8.12.1, it's as recent as we can get from them that is supported / without compiling:
$ curl --version
curl 8.6.0 (powerpc-ibm-aix7.1.5.0) libcurl/8.6.0 OpenSSL/1.1.1v zlib/1.2.13 libssh2/1.10.0 nghttp2/1.58.0 OpenLDAP/2.5.16
Release-Date: 2024-01-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe UnixSockets
We could perhaps compile if we absolutely have to, but interactions with Peoplesoft and... oracle cruft.... make that a bit difficult/dangerous.
Actual runs:
[user_at_aixsource:~/test]$ # failing curl + sftp + rsa keys
[user_at_aixsource:~/test]$ curl --trace file -u remoteuser: --key $keydir/rsa --pubkey $keydir/rsa.pub -T foo \
sftp://rhel9server.foo.com:/tmp/bar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (67) Authentication failure
[user_at_aixsource:~/test]$ # scp with same keys works
[user_at_aixsource:~/test]$ scp -s -i $keydir/rsa foo remoteuser_at_rhel9server.foo.com:/tmp/bar
SSH is not allowed for i2i accounts. Only scp and sftp will be able to continue.
foo 100% 0 0.0KB/s 00:00
[user_at_aixsource:~/test]$ # same curl as above, but using ed25519 keys, works
[user_at_aixsource:~/test]$ curl --trace file -u remoteuser: --key $keydir/ed25519 --pubkey $keydir/ed25519.pub -T foo \
sftp://rhel9server.foo.com:/tmp/bar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
[user_at_aixsource:~/test]$ # scp with ed25519 keys works
[user_at_aixsource:~/test]$ scp -s -i $keydir/ed25519 foo remoteuser_at_rhel9server.foo.com:/tmp/bar
SSH is not allowed for i2i accounts. Only scp and sftp will be able to continue.
foo 100% 0 0.0KB/s 00:00
Tracefile:
== Info: Host rhel9server.foo.com:22 was resolved.
== Info: IPv6: (none)
== Info: IPv4: 10.10.10.1
== Info: Trying 10.10.10.1:22...
== Info: Connected to rhel9server.foo.com (10.10.10.1) port 22
== Info: Found host rhel9server.foo.com in /home/localuser/.ssh/known_hosts
== Info: Set "ecdsa-sha2-nistp256" as SSH hostkey type
== Info: SSH MD5 public key: NULL
== Info: SSH SHA256 public key: NULL
== Info: SSH host check: 0, key: KEYREDACTED
== Info: SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
== Info: Using SSH public key file '/home/localuser/test/rsa.pub'
== Info: Using SSH private key file '/home/localuser/test/rsa'
== Info: SSH public key authentication failed: Invalid signature for supplied public key, or bad username/public key combination
== Info: Failure connecting to agent
== Info: Authentication failure
== Info: Closing connection
So... anyone have ideas (other than perhaps recompiling newer source... our last resort)?
Thanks!
Ian
PUBLIC RECORDS NOTICE: In accordance with NRS Chapter 239, this email and responses, unless otherwise made confidential by law, may be subject to the Nevada Public Records laws and may be disclosed to the public upon request.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-02-14