Compiled and linked curl to libssh2 current github master dev branch in order to get rsa-sha2-256 and rsa-sha2-512 server-key-exchange methods.
First SSH server connect works fine, server key gets saved to ssh local keyfile. Subsequent connects failing always because curl offers only "ssh-rsa", not "rsa-sha2-256" and "rsa-sha2-512" anymore, to server.
Could fix the issue with a little change to /lib/vssh/libssh2.c :
In ssh_force_knownhost_key_type() static const char * const hostkey_method_ssh_rsa = "rsa-sha2-256,rsa-sha2-512,ssh-rsa";
instead of static const char * const hostkey_method_ssh_rsa = "ssh-rsa";
This is the debug output when SFTP/SSH connect fails: * Connected to 10.45.120.110 (10.45.120.110) port 22 (#0) * Found host 10.45.120.110 in my_ssh_known_hosts.txt * Set "ssh-rsa" as SSH hostkey type * Failure establishing ssh session: -5, Unable to exchange encryption keys * Closing connection 0
I think as soon a new libssh2 release is available (1.11.0), someone needs to address this issue in order to get rsa-sha2-256 and rsa-sha2-512. The old ssh-rsa (SHA1) is disabled within OpenSSH since version 8.8, 2021-09-26.
The text was updated successfully, but these errors were encountered:
The string with methods is used in a call to libssh2_session_method_pref() which removes all unsupported methods.
First I thought it would be necessary to detect which method of the three to methods to use/prefer (by store key length or so) -- but it turned to not to be necessary. It just works magically.
If you have, for example, a rsa-sha2-512 key locally stored, you might call libssh2_session_method_pref("rsa-sha2-256") and it works. No idea why.
@bagder Yes, that's right.
Perhaps it should be mentioned, that this fix is required to make CURLOPT_SSH_KNOWNHOSTS option work -- which is of course a good idea. Practically every SSH client is using such 'known-hosts file' mechanism. Otherwise you would have no server validation at all. CURLOPT_SSH_KNOWNHOSTS