Red Hat Bugzilla – Bug 1028733
Cannot use ECDSA private key to log in on remote SSH server
Last modified: 2013-12-20 16:41:08 EST
Description of problem:
Version-Release number of selected component (if applicable):
Name : openssh-clients
Arch : x86_64
Version : 6.3p1
Release : 5.fc20
Steps to Reproduce:
1. generate an ECDSA key ~/.ssh/id_ecdsa and deploy the public key to my-server.net
2. try to log in: ssh -vvv -i ~/.ssh/id_ecdsa my-server.net
3. observe failure.
The following error is printed:
key_from_blob: EC_KEY_new_by_curve_name failed
Remote shell prompt.
The remote server runs OpenSSH 6.0. The problem did not exist in fc19.
The private key begins with "ecdsa-sha2-nistp521".
Please try openssl-1.0.1e-31.fc20 from koji.
Thank you. The problem disappeared after installing openssl-1.0.1e-31.fc20 (+ dependencies) from koji.
It would be nice to get -31 out soon for F18 and F19 as well. Without
this change, there's no chance to use openssh ECDSA keys at all, using
the official packages.
Along the same lines, it would be nice to get new openssh builds
for F18 and F19 as well. Both latest openssh packages still don't
allow to use ECDSA keys, even though their latest openssl build does.
Thanks very much for your efforts,
IMHO if you generate key with different curve than the ecdsa-sha2-nistp521, it should work. You can use ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 instead.
Which is not helpful, unfortunately, when already using and sharing
an ecdsa-sha2-nistp521 key between various machines, some of them
non-Fedora and perfectly capable of using 521 bit keys.