Red Hat Bugzilla – Bug 1028733
Cannot use ECDSA private key to log in on remote SSH server
Last modified: 2013-12-20 16:41:08 EST
Description of problem: Version-Release number of selected component (if applicable): Name : openssh-clients Arch : x86_64 Version : 6.3p1 Release : 5.fc20 Steps to Reproduce: 1. generate an ECDSA key ~/.ssh/id_ecdsa and deploy the public key to my-server.net 2. try to log in: ssh -vvv -i ~/.ssh/id_ecdsa my-server.net 3. observe failure. Actual results: The following error is printed: key_from_blob: EC_KEY_new_by_curve_name failed Expected results: Remote shell prompt. Additional info: The remote server runs OpenSSH 6.0. The problem did not exist in fc19. The private key begins with "ecdsa-sha2-nistp521".
Please try openssl-1.0.1e-31.fc20 from koji. http://koji.fedoraproject.org/koji/buildinfo?buildID=477534
Thank you. The problem disappeared after installing openssl-1.0.1e-31.fc20 (+ dependencies) from koji.
Hi guys, It would be nice to get -31 out soon for F18 and F19 as well. Without this change, there's no chance to use openssh ECDSA keys at all, using the official packages. Along the same lines, it would be nice to get new openssh builds for F18 and F19 as well. Both latest openssh packages still don't allow to use ECDSA keys, even though their latest openssl build does. Thanks very much for your efforts, Corinna
IMHO if you generate key with different curve than the ecdsa-sha2-nistp521, it should work. You can use ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 instead.
Which is not helpful, unfortunately, when already using and sharing an ecdsa-sha2-nistp521 key between various machines, some of them non-Fedora and perfectly capable of using 521 bit keys. Thanks, Corinna