Mailing Lists

curl-tracker Archives

[curl:bugs] #1448 curl does not use port-number information in known_hosts check

From: Nobuhiro Ban <ban_nobuhiro_at_users.sf.net>
Date: Mon, 10 Nov 2014 14:03:39 +0000

I tested daily snapshot 7.39.1-20141110; it works well.
Thank you for the fix.

---
** [bugs:#1448] curl does not use port-number information in known_hosts check**
**Status:** closed-fixed
**Labels:** SSH 
**Created:** Sun Nov 09, 2014 10:30 AM UTC by Nobuhiro Ban
**Last Updated:** Mon Nov 10, 2014 01:08 AM UTC
**Owner:** Daniel Stenberg
Problem
-------
When connect to scp/sftp, curl checks host key with known_hosts file.
But curl does not use port-number information in this check.
Therefore, there are problems at connecting to non-default port (eg. 10022).
Suggested fix
-------------
libssh2 has a check method with port number. So you can use it.
    --- a/lib/ssh.c
    +++ b/lib/ssh.c
    @@ -543,8 +543,9 @@
           keybit = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)?
             LIBSSH2_KNOWNHOST_KEY_SSHRSA:LIBSSH2_KNOWNHOST_KEY_SSHDSS;
     
    -      keycheck = libssh2_knownhost_check(sshc->kh,
    +      keycheck = libssh2_knownhost_checkp(sshc->kh,
                                              conn->host.name,
    +                                         (conn->remote_port != PORT_SSH)?conn->remote_port:-1,
                                              remotekey, keylen,
                                              LIBSSH2_KNOWNHOST_TYPE_PLAIN|
                                              LIBSSH2_KNOWNHOST_KEYENC_RAW|
Example
-------
    (Using OpenSSH)
    $ ssh -p 10022 ban_at_localhost cat /tmp/hello.txt
    Password:
    hello
    
    (Before patching)
    $ curl -u ban scp://localhost:10022/tmp/hello.txt
    Enter host password for user 'ban':
    curl: (51) SSL peer certificate or SSH remote key was not OK
    
    (After patching)
    $ ./curl -u ban scp://localhost:10022/tmp/hello.txt
    Enter host password for user 'ban':
    hello
Version info
------------
I tried latest Debian package.
    $ curl -V
    curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.1j zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp 
    Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP 
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

Received on 2014-11-10

This message: [ Message body ]
Next message: Warren Menzer: "[curl:bugs] #1450 Schannel internal buffers grow without limit during large download"
Previous message: Kyle: "[curl:bugs] #1449 curl improperly removes non-numeric scope identifiers from IPv6 addresses"
In reply to: Nobuhiro Ban: "[curl:bugs] #1448 curl does not use port-number information in known_hosts check"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

These mail archives are generated by hypermail.