Bug 1028733

Summary: Cannot use ECDSA private key to log in on remote SSH server
Product: [Fedora] Fedora Reporter: bugs
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: kenny, mattias.ellert, mgrepl, plautrba, tmraz, vinschen
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-1.0.1e-31.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-20 21:41:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description bugs 2013-11-10 09:18:01 UTC 
Description of problem:

Version-Release number of selected component (if applicable):

    Name        : openssh-clients
    Arch        : x86_64
    Version     : 6.3p1
    Release     : 5.fc20

Steps to Reproduce:

1. generate an ECDSA key ~/.ssh/id_ecdsa and deploy the public key to my-server.net
2. try to log in: ssh -vvv -i ~/.ssh/id_ecdsa my-server.net
3. observe failure.

Actual results:

The following error is printed:

    key_from_blob: EC_KEY_new_by_curve_name failed

Expected results:

    Remote shell prompt.    


Additional info:

The remote server runs OpenSSH 6.0.  The problem did not exist in fc19.
The private key begins with "ecdsa-sha2-nistp521".
Comment 1 Tomas Mraz 2013-11-11 10:18:00 UTC 
Please try openssl-1.0.1e-31.fc20 from koji.
http://koji.fedoraproject.org/koji/buildinfo?buildID=477534
Comment 2 bugs 2013-11-11 13:29:39 UTC 
Thank you.  The problem disappeared after installing openssl-1.0.1e-31.fc20 (+ dependencies) from koji.
Comment 3 Corinna Vinschen 2013-11-12 10:42:48 UTC 
Hi guys,

It would be nice to get -31 out soon for F18 and F19 as well.  Without
this change, there's no chance to use openssh ECDSA keys at all, using
the official packages.

Along the same lines, it would be nice to get new openssh builds
for F18 and F19 as well.  Both latest openssh packages still don't
allow to use ECDSA keys, even though their latest openssl build does.


Thanks very much for your efforts,
Corinna
Comment 4 Tomas Mraz 2013-11-12 11:14:58 UTC 
IMHO if you generate key with different curve than the ecdsa-sha2-nistp521, it should work. You can use ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 instead.
Comment 5 Corinna Vinschen 2013-11-12 11:34:57 UTC 
Which is not helpful, unfortunately, when already using and sharing
an ecdsa-sha2-nistp521 key between various machines, some of them
non-Fedora and perfectly capable of using 521 bit keys.


Thanks,
Corinna