Bug 1824926

Summary: curl with SFTP fails to verify known hosts entry for ECDSA keys
Product: [Fedora] Fedora Reporter: Anderson Sasaki <ansasaki>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: john.j5live, kdudka, msekleta, paul, svashisht
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: curl-7.69.1-3.fc33 curl-7.69.1-3.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 02:30:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anderson Sasaki 2020-04-16 16:47:08 UTC 
Description of problem:
When the server uses an ECDSA key, curl fails to verify it's entry in the known hosts file when accessing using SFTP.

Version-Release number of selected component (if applicable):
curl-7.69.1-1.f32

How reproducible:
100%

Steps to Reproduce:

1. Create an ECDSA key pair for the SSH server:

# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''

2. Authorize the user key to access the SSH server (assuming the user has an RSA key):

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

3. Add the entry to the known_hosts file

$ echo 'localhost $(cat "/etc/ssh/ssh_host_ecdsa_key.pub")' >> ~/.ssh/known_hosts

4. Create a file to download:

$ dd if=/dev/zero of=~/testfile bs=1M count=1

5. Restart SSH server

$ systemctl restart sshd

6. Download using curl and SFTP

$ curl -o ./sftp_file -u testuser: --key ~/.ssh/id_rsa \
  --pubkey ~/.ssh/id_rsa.pub sftp://localhost/home/$(whoami)/testfile

Actual results:
curl: (60) SSL peer certificate or SSH remote key was not OK

Expected results:
No errors and the file is downloaded correctly.

Additional info:
Using RSA, ED25519, or DSA keys no error is generated and the download is successful
Comment 1 Kamil Dudka 2020-04-17 15:40:24 UTC 
Anderson, thank you for creating the pull request upstream!
Comment 2 Kamil Dudka 2020-04-18 06:31:10 UTC 
upstream commit: https://github.com/curl/curl/commit/14bf7eb6
Comment 3 Kamil Dudka 2020-04-20 09:48:47 UTC 
dist-git commit: https://src.fedoraproject.org/rpms/curl/c/6a752013
Comment 4 Fedora Update System 2020-04-20 10:21:08 UTC 
FEDORA-2020-e763186d31 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e763186d31
Comment 5 Fedora Update System 2020-04-20 16:18:49 UTC 
FEDORA-2020-e763186d31 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e763186d31`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e763186d31

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-04-28 02:30:52 UTC 
FEDORA-2020-e763186d31 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.