Bug 1260742 - curl requires public ssh key file [RHEL-6]
curl requires public ssh key file [RHEL-6]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl (Show other bugs)
6.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Kamil Dudka
Karel Srot
Petr Bokoc
: Patch
Depends On: 1275769
Blocks: 1261120
  Show dependency treegraph
 
Reported: 2015-09-07 11:15 EDT by Marek Mahut
Modified: 2016-05-10 20:36 EDT (History)
5 users (show)

See Also:
Fixed In Version: curl-7.19.7-51.el6
Doc Type: Bug Fix
Doc Text:
*curl* no longer requires both private and public SSH keys Previously, the *curl* tool required a full pair of a private and a public SSH keys for user authentication. If you only provided a private SSH key, which is common when using certain tools such as *scp*, user authentication failed. An upstream patch has been applied on *curl* source code to improve SSH user authentication so that the public key does not need to be specified, and *curl* can now authenticate using only a private SSH key.
Story Points: ---
Clone Of:
: 1275769 (view as bug list)
Environment:
Last Closed: 2016-05-10 20:36:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0915 normal SHIPPED_LIVE curl bug fix update 2016-05-10 18:52:28 EDT

  None (edit)
Description Marek Mahut 2015-09-07 11:15:47 EDT
Description of problem:

When using libreport-plugin-reportuploader, looks like CURL requires the public SSH key even if there is no need for it.


Version-Release number of selected component (if applicable):

libreport-plugin-reportuploader-2.0.9-24.el6.x86_64

How reproducible:


Steps to Reproduce:
1. Configure libreport-plugin-reportuploader to scp dumps with ssh keys
2. Configure only the private key
3. Kaboom

Actual results:

Locked '.lock'
Compressing data
Unlocked '/var/spool/abrt/ccpp-2015-09-07-11:03:58-234464/.lock'
Sending /tmp/ccpp-2015-09-07-11:03:58-234464.tar.gz to use-abrt1.ops.rhcloud.com/var/spool/abrt-upload/
abrt_post('scp://abrt_upload@use-abrt1.ops.rhcloud.com/var/spool/abrt-upload/ccpp-2015-09-07-11:03:58-234464.tar.gz','/tmp/ccpp-2015-09-07-11:03:58-234464.tar.gz')
curl: About to connect() to use-abrt1.ops.rhcloud.com port 22 (#0)

curl:   Trying 172.16.66.102... 
curl: connected

curl: Connected to use-abrt1.ops.rhcloud.com (172.16.66.102) port 22 (#0)

curl: SSH MD5 fingerprint: 5ffc40458bdae829212e0a1f6e91fdd4

curl: SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic

curl: Using ssh public key file /root/.ssh/id_dsa.pub

curl: Using ssh private key file /root/.ssh/id_dsa

curl: SSH public key authentication failed: Unable to open public key file

curl: Authentication failure

curl: Closing connection #0

curl_easy_perform: error 67
curl_easy_perform: error_msg: curl_easy_perform: Login denied
Error while uploading: 'curl_easy_perform: Login denied'


Expected results:

The upload should be done even without the public key.
Comment 2 Jakub Filak 2015-10-22 04:49:26 EDT
It looks like that curl tries really hard to set the path to public key and I am afraid that it is not possible to prevent libcurl from doing so:

curl-7.19.7/lib/ssh.c

      home = curl_getenv("HOME");                                                
                                                                                 
      if(data->set.str[STRING_SSH_PUBLIC_KEY])                                   
        sshc->rsa_pub = aprintf("%s", data->set.str[STRING_SSH_PUBLIC_KEY]);     
      else if(home)                                                              
        sshc->rsa_pub = aprintf("%s/.ssh/id_dsa.pub", home);                     
      else                                                                       
        /* as a final resort, try current dir! */                                
        sshc->rsa_pub = strdup("id_dsa.pub"); 

libreport does not explicitly specify the public key path, so libcurl should not use it:

curl-7.45.0/lib/ssh.c

        if(data->set.str[STRING_SSH_PUBLIC_KEY]) {                               
          sshc->rsa_pub = strdup(data->set.str[STRING_SSH_PUBLIC_KEY]);          
          if(!sshc->rsa_pub)                                                     
            out_of_memory = TRUE;                                                
        }
Comment 3 Kamil Dudka 2015-10-27 06:48:28 EDT
We need the following upstream patch, which is not yet included in RHEL-7:

https://github.com/bagder/curl/commit/curl-7_38_0-47-gfa7d04f
Comment 5 Kamil Dudka 2015-10-27 17:18:14 EDT
On RHEL-6, we will need also the following upstream commit:

https://github.com/bagder/curl/commit/curl-7_25_0-31-g05a443a
Comment 12 Kamil Dudka 2016-01-14 03:53:58 EST
(In reply to Kamil Dudka from comment #11)
> (In reply to Karel Srot from comment #10)
> > Also, 
> > with curl-7.19.7-46.el6 the connection works when scp/sftp --pubkey
> > parameter is omitted. It doesn't work if I pass --pubkey '' instead. I guess
> > this is expected but a confirmation would be appreciated.
> 
> Good point.  It does not seem to work as documented:
> 
> CURLOPT_SSH_PUBLIC_KEYFILE
>     Pass a char * pointing to a file name for your public key.  If not used,
>     libcurl defaults to using ~/.ssh/id_dsa.pub.  (Added in 7.16.1)
>     If an empty string is passed, libcurl will pass no public key to libssh2
>     which then tries to compute it from the private key, this is known to
>     work when libssh2 1.4.0+ is linked against OpenSSL. (Added in 7.25.1)
>
> Surprisingly, it works the same way in the latest upstream.  I will ask them
> whether to update the implementation, or the documentation ... but I would
> rather choose the documentation update for RHEL anyway.

I have notified upstream about this and asked them how they prefer to solve it:

http://thread.gmane.org/gmane.comp.web.curl.library/46793
Comment 13 Kamil Dudka 2016-01-15 05:08:58 EST
(In reply to Kamil Dudka from comment #12)
> > ... but I would rather choose the documentation update for RHEL anyway.

Actually, I will rather fix it also in RHEL-6 to make the behavior closer to what we currently have in RHEL-7.

> http://thread.gmane.org/gmane.comp.web.curl.library/46793

upstream commit:

https://github.com/bagder/curl/commit/be538e07
Comment 19 errata-xmlrpc 2016-05-10 20:36:18 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0915.html

Note You need to log in before you can comment on or make changes to this bug.