Bug 1028733 - Cannot use ECDSA private key to log in on remote SSH server
Cannot use ECDSA private key to log in on remote SSH server
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-11-10 04:18 EST by bugs
Modified: 2013-12-20 16:41 EST (History)
6 users (show)

See Also:
Fixed In Version: openssl-1.0.1e-31.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-20 16:41:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description bugs 2013-11-10 04:18:01 EST
Description of problem:

Version-Release number of selected component (if applicable):

    Name        : openssh-clients
    Arch        : x86_64
    Version     : 6.3p1
    Release     : 5.fc20

Steps to Reproduce:

1. generate an ECDSA key ~/.ssh/id_ecdsa and deploy the public key to my-server.net
2. try to log in: ssh -vvv -i ~/.ssh/id_ecdsa my-server.net
3. observe failure.

Actual results:

The following error is printed:

    key_from_blob: EC_KEY_new_by_curve_name failed

Expected results:

    Remote shell prompt.    

Additional info:

The remote server runs OpenSSH 6.0.  The problem did not exist in fc19.
The private key begins with "ecdsa-sha2-nistp521".
Comment 1 Tomas Mraz 2013-11-11 05:18:00 EST
Please try openssl-1.0.1e-31.fc20 from koji.
Comment 2 bugs 2013-11-11 08:29:39 EST
Thank you.  The problem disappeared after installing openssl-1.0.1e-31.fc20 (+ dependencies) from koji.
Comment 3 Corinna Vinschen 2013-11-12 05:42:48 EST
Hi guys,

It would be nice to get -31 out soon for F18 and F19 as well.  Without
this change, there's no chance to use openssh ECDSA keys at all, using
the official packages.

Along the same lines, it would be nice to get new openssh builds
for F18 and F19 as well.  Both latest openssh packages still don't
allow to use ECDSA keys, even though their latest openssl build does.

Thanks very much for your efforts,
Comment 4 Tomas Mraz 2013-11-12 06:14:58 EST
IMHO if you generate key with different curve than the ecdsa-sha2-nistp521, it should work. You can use ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 instead.
Comment 5 Corinna Vinschen 2013-11-12 06:34:57 EST
Which is not helpful, unfortunately, when already using and sharing
an ecdsa-sha2-nistp521 key between various machines, some of them
non-Fedora and perfectly capable of using 521 bit keys.


Note You need to log in before you can comment on or make changes to this bug.