-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SFTP rsa-sha2-256, rsa-sha2-512 key exchange issue #10143
Comments
The question is probably what the condition should be for using the updated string? Can we detect its presence in a better way than checking for the libssh2 version? |
The string with methods is used in a call to libssh2_session_method_pref() which removes all unsupported methods. |
@norbertmm you up for writing a PR for this perhaps? |
never done this ... |
As is supported by recent libssh2, but should just be ignored by older versions. Reported-by: norbertmm on github Fixes #10143
@norbertmm Is #10145 what you had in mind? I admit I have not really read up on the subtleties involved here. |
@bagder Yes, that's right. |
Compiled and linked curl to libssh2 current github master dev branch in order to get rsa-sha2-256 and rsa-sha2-512 server-key-exchange methods.
First SSH server connect works fine, server key gets saved to ssh local keyfile. Subsequent connects failing always because curl offers only "ssh-rsa", not "rsa-sha2-256" and "rsa-sha2-512" anymore, to server.
Could fix the issue with a little change to /lib/vssh/libssh2.c :
In ssh_force_knownhost_key_type()
static const char * const hostkey_method_ssh_rsa = "rsa-sha2-256,rsa-sha2-512,ssh-rsa";
instead of
static const char * const hostkey_method_ssh_rsa = "ssh-rsa";
This is the debug output when SFTP/SSH connect fails:
* Connected to 10.45.120.110 (10.45.120.110) port 22 (#0)
* Found host 10.45.120.110 in my_ssh_known_hosts.txt
* Set "ssh-rsa" as SSH hostkey type
* Failure establishing ssh session: -5, Unable to exchange encryption keys
* Closing connection 0
I think as soon a new libssh2 release is available (1.11.0), someone needs to address this issue in order to get rsa-sha2-256 and rsa-sha2-512. The old ssh-rsa (SHA1) is disabled within OpenSSH since version 8.8, 2021-09-26.
The text was updated successfully, but these errors were encountered: