Bug 1260742
| Summary: | curl requires public ssh key file [RHEL-6] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Marek Mahut <mmahut> | |
| Component: | curl | Assignee: | Kamil Dudka <kdudka> | |
| Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | |
| Severity: | medium | Docs Contact: | Petr Bokoc <pbokoc> | |
| Priority: | medium | |||
| Version: | 6.7 | CC: | jfilak, kdudka, nobody+abrt-devel-list, ovasik, pbokoc | |
| Target Milestone: | rc | Keywords: | Patch | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | curl-7.19.7-51.el6 | Doc Type: | Bug Fix | |
| Doc Text: |
*curl* no longer requires both private and public SSH keys
Previously, the *curl* tool required a full pair of a private and a public SSH keys for user authentication. If you only provided a private SSH key, which is common when using certain tools such as *scp*, user authentication failed. An upstream patch has been applied on *curl* source code to improve SSH user authentication so that the public key does not need to be specified, and *curl* can now authenticate using only a private SSH key.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1275769 (view as bug list) | Environment: | ||
| Last Closed: | 2016-05-11 00:36:18 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1275769 | |||
| Bug Blocks: | 1261120 | |||
It looks like that curl tries really hard to set the path to public key and I am afraid that it is not possible to prevent libcurl from doing so:
curl-7.19.7/lib/ssh.c
home = curl_getenv("HOME");
if(data->set.str[STRING_SSH_PUBLIC_KEY])
sshc->rsa_pub = aprintf("%s", data->set.str[STRING_SSH_PUBLIC_KEY]);
else if(home)
sshc->rsa_pub = aprintf("%s/.ssh/id_dsa.pub", home);
else
/* as a final resort, try current dir! */
sshc->rsa_pub = strdup("id_dsa.pub");
libreport does not explicitly specify the public key path, so libcurl should not use it:
curl-7.45.0/lib/ssh.c
if(data->set.str[STRING_SSH_PUBLIC_KEY]) {
sshc->rsa_pub = strdup(data->set.str[STRING_SSH_PUBLIC_KEY]);
if(!sshc->rsa_pub)
out_of_memory = TRUE;
}
We need the following upstream patch, which is not yet included in RHEL-7: https://github.com/bagder/curl/commit/curl-7_38_0-47-gfa7d04f On RHEL-6, we will need also the following upstream commit: https://github.com/bagder/curl/commit/curl-7_25_0-31-g05a443a (In reply to Kamil Dudka from comment #11) > (In reply to Karel Srot from comment #10) > > Also, > > with curl-7.19.7-46.el6 the connection works when scp/sftp --pubkey > > parameter is omitted. It doesn't work if I pass --pubkey '' instead. I guess > > this is expected but a confirmation would be appreciated. > > Good point. It does not seem to work as documented: > > CURLOPT_SSH_PUBLIC_KEYFILE > Pass a char * pointing to a file name for your public key. If not used, > libcurl defaults to using ~/.ssh/id_dsa.pub. (Added in 7.16.1) > If an empty string is passed, libcurl will pass no public key to libssh2 > which then tries to compute it from the private key, this is known to > work when libssh2 1.4.0+ is linked against OpenSSL. (Added in 7.25.1) > > Surprisingly, it works the same way in the latest upstream. I will ask them > whether to update the implementation, or the documentation ... but I would > rather choose the documentation update for RHEL anyway. I have notified upstream about this and asked them how they prefer to solve it: http://thread.gmane.org/gmane.comp.web.curl.library/46793 (In reply to Kamil Dudka from comment #12) > > ... but I would rather choose the documentation update for RHEL anyway. Actually, I will rather fix it also in RHEL-6 to make the behavior closer to what we currently have in RHEL-7. > http://thread.gmane.org/gmane.comp.web.curl.library/46793 upstream commit: https://github.com/bagder/curl/commit/be538e07 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0915.html |
Description of problem: When using libreport-plugin-reportuploader, looks like CURL requires the public SSH key even if there is no need for it. Version-Release number of selected component (if applicable): libreport-plugin-reportuploader-2.0.9-24.el6.x86_64 How reproducible: Steps to Reproduce: 1. Configure libreport-plugin-reportuploader to scp dumps with ssh keys 2. Configure only the private key 3. Kaboom Actual results: Locked '.lock' Compressing data Unlocked '/var/spool/abrt/ccpp-2015-09-07-11:03:58-234464/.lock' Sending /tmp/ccpp-2015-09-07-11:03:58-234464.tar.gz to use-abrt1.ops.rhcloud.com/var/spool/abrt-upload/ abrt_post('scp://abrt_upload.rhcloud.com/var/spool/abrt-upload/ccpp-2015-09-07-11:03:58-234464.tar.gz','/tmp/ccpp-2015-09-07-11:03:58-234464.tar.gz') curl: About to connect() to use-abrt1.ops.rhcloud.com port 22 (#0) curl: Trying 172.16.66.102... curl: connected curl: Connected to use-abrt1.ops.rhcloud.com (172.16.66.102) port 22 (#0) curl: SSH MD5 fingerprint: 5ffc40458bdae829212e0a1f6e91fdd4 curl: SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic curl: Using ssh public key file /root/.ssh/id_dsa.pub curl: Using ssh private key file /root/.ssh/id_dsa curl: SSH public key authentication failed: Unable to open public key file curl: Authentication failure curl: Closing connection #0 curl_easy_perform: error 67 curl_easy_perform: error_msg: curl_easy_perform: Login denied Error while uploading: 'curl_easy_perform: Login denied' Expected results: The upload should be done even without the public key.