Bug 1028733 - Cannot use ECDSA private key to log in on remote SSH server
Summary: Cannot use ECDSA private key to log in on remote SSH server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 20
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-10 09:18 UTC by bugs
Modified: 2013-12-20 21:41 UTC (History)
6 users (show)

Fixed In Version: openssl-1.0.1e-31.fc20
Clone Of:
Environment:
Last Closed: 2013-12-20 21:41:08 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description bugs 2013-11-10 09:18:01 UTC
Description of problem:

Version-Release number of selected component (if applicable):

    Name        : openssh-clients
    Arch        : x86_64
    Version     : 6.3p1
    Release     : 5.fc20

Steps to Reproduce:

1. generate an ECDSA key ~/.ssh/id_ecdsa and deploy the public key to my-server.net
2. try to log in: ssh -vvv -i ~/.ssh/id_ecdsa my-server.net
3. observe failure.

Actual results:

The following error is printed:

    key_from_blob: EC_KEY_new_by_curve_name failed

Expected results:

    Remote shell prompt.    


Additional info:

The remote server runs OpenSSH 6.0.  The problem did not exist in fc19.
The private key begins with "ecdsa-sha2-nistp521".

Comment 1 Tomas Mraz 2013-11-11 10:18:00 UTC
Please try openssl-1.0.1e-31.fc20 from koji.
http://koji.fedoraproject.org/koji/buildinfo?buildID=477534

Comment 2 bugs 2013-11-11 13:29:39 UTC
Thank you.  The problem disappeared after installing openssl-1.0.1e-31.fc20 (+ dependencies) from koji.

Comment 3 Corinna Vinschen 2013-11-12 10:42:48 UTC
Hi guys,

It would be nice to get -31 out soon for F18 and F19 as well.  Without
this change, there's no chance to use openssh ECDSA keys at all, using
the official packages.

Along the same lines, it would be nice to get new openssh builds
for F18 and F19 as well.  Both latest openssh packages still don't
allow to use ECDSA keys, even though their latest openssl build does.


Thanks very much for your efforts,
Corinna

Comment 4 Tomas Mraz 2013-11-12 11:14:58 UTC
IMHO if you generate key with different curve than the ecdsa-sha2-nistp521, it should work. You can use ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 instead.

Comment 5 Corinna Vinschen 2013-11-12 11:34:57 UTC
Which is not helpful, unfortunately, when already using and sharing
an ecdsa-sha2-nistp521 key between various machines, some of them
non-Fedora and perfectly capable of using 521 bit keys.


Thanks,
Corinna


Note You need to log in before you can comment on or make changes to this bug.