Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl with SFTP fails to verify ECDSA keys present in known hosts files #5252

Closed
ansasaki opened this issue Apr 17, 2020 · 0 comments
Closed
Labels

Comments

@ansasaki
Copy link
Contributor

Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=1824926

When the server uses an ECDSA key, curl fails to verify it's entry in the known hosts file when accessing using SFTP.

Using RSA, ED25519, or DSA keys no error is generated and the download is successful.

I did this

In Fedora 32, using curl-7.69.1-1.fc32.x86_64

  1. Create an ECDSA key pair for the SSH server:
# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
  1. Authorize the user key to access the SSH server (assuming the user has an RSA key):
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  1. Add the entry to the known_hosts file
$ echo 'localhost $(cat "/etc/ssh/ssh_host_ecdsa_key.pub")' >> ~/.ssh/known_hosts
  1. Create a file to download:
$ dd if=/dev/zero of=~/testfile bs=1M count=1
  1. Restart SSH server
$ systemctl restart sshd
  1. Download using curl and SFTP
$ curl -o ./sftp_file -u testuser: --key ~/.ssh/id_rsa \
  --pubkey ~/.ssh/id_rsa.pub sftp://localhost/home/$(whoami)/testfile

Then I get the following error:

curl: (60) SSL peer certificate or SSH remote key was not OK

I expected the following

No errors and the file is successfully downloaded

curl/libcurl version

[curl -V output]

curl 7.69.1 (x86_64-redhat-linux-gnu) libcurl/7.69.1 OpenSSL/1.1.1d-fips zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0
Release-Date: 2020-03-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

operating system

Linux fedora32 5.6.2-301.fc32.x86_64 #1 SMP Tue Apr 7 18:23:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging a pull request may close this issue.

2 participants