Bug 1019222

Summary: Re-enable elliptic curve cryptography (ecc) in openssh
Product: [Fedora] Fedora Reporter: Scott Schmit <i.grok>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: cesarb, emaldona, fschwarz, julio, jv+fedora, kengert, kenny, lnie, mattias.ellert, mgrepl, plautrba, rrelyea, sergio.pasra, sgraf, tcallawa, thomas, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1019216
: 1022904 (view as bug list) Environment:
Last Closed: 2014-01-07 09:54:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1023945    
Bug Blocks: 1019390    
Attachments:
Description Flags
Patch to sshd-keygen to generate ECDSA keys none

Description Scott Schmit 2013-10-15 10:20:58 UTC 
Created attachment 812415 [details]
Patch to sshd-keygen to generate ECDSA keys

Description of problem:
The current version of the openssh package does not support elliptic curve cryptography algorithms. Support is available upstream.

Version-Release number of selected component (if applicable):
openssh-6.2p2-5.fc19.x86_64

How reproducible:
100%

Steps to Reproduce:
1. ssh-keygen -t ecdsa

Actual results:
ECC key generation works

Expected results:
ECC key generation does not work

Additional info:
openssl has now been allowed to re-enable ECC: Bug 319901

For the most part, openssh simply needs to be rebuilt against a version of openssl with ECC enabled, but there are currently a few other issues:
* Host key generation doesn't include generation of ecdsa keys
* openssh doesn't build with openssh-6.2p1-fips.patch and openssh-6.2p1-ctr-cavstest.patch

I don't mean to exclude other versions of Fedora, but F19 is what I use, and I'm not sure of the nss version in F18, etc.
Comment 1 Fedora Update System 2013-10-25 11:29:22 UTC 
openssh-6.3p1-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/openssh-6.3p1-3.fc20
Comment 2 lnie 2013-10-28 06:32:45 UTC 
seems fine with openssh-6.3p1-3.fc20
Comment 3 Sergio Pascual 2013-10-28 12:14:48 UTC 
Hostkey creation it's missing (see dependant bug)
Comment 4 Fedora Update System 2013-11-10 08:07:44 UTC 
openssh-6.3p1-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Scott Shambarger 2013-11-15 15:25:35 UTC 
Is it possible to get a build for F19? (as this bug is assigned to it :)
Comment 6 Fedora Update System 2013-11-18 13:30:48 UTC 
openssh-6.2p2-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openssh-6.2p2-6.fc19
Comment 7 Fedora Update System 2013-11-18 15:25:59 UTC 
openssh-6.1p1-10.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/openssh-6.1p1-10.fc18
Comment 8 Fedora Update System 2013-11-19 05:27:28 UTC 
openssh-6.2p2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Julio Merino 2013-11-26 14:50:59 UTC 
In f20, I was unable to SSH to NetBSD hosts due to their keys using ECDSA.  With this update, the problem is gone for me.
Comment 10 Fedora Update System 2013-12-09 02:03:20 UTC 
openssh-6.1p1-10.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.