Bug 1275769 - curl requires public ssh key file [RHEL-7]
Summary: curl requires public ssh key file [RHEL-7]
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: curl
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Stefan Dordevic
Lenka Špačková
Depends On:
Blocks: 1260742 1289025 1295829 1313485
TreeView+ depends on / blocked
Reported: 2015-10-27 16:46 UTC by Kamil Dudka
Modified: 2016-11-03 17:44 UTC (History)
3 users (show)

Fixed In Version: curl-7.29.0-30.el7
Doc Type: Bug Fix
Doc Text:
*curl* no longer requires a public key specified by the user Prior to this update, the *curl* utility required both private and public SSH keys (paired with each other) for user authentication. Consequently, if a user provided only the private SSH key, which is a common practice with the *scp* utility, *curl* failed to authenticate the user. An upstream patch has been applied to improve the SSH user authentication, and *curl* now authenticates the user successfully also in case only a private SSH key is provided.
Clone Of: 1260742
Last Closed: 2016-11-03 17:44:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2575 0 normal SHIPPED_LIVE Moderate: curl security, bug fix, and enhancement update 2016-11-03 12:06:39 UTC

Description Kamil Dudka 2015-10-27 16:46:51 UTC
+++ This bug was initially created as a clone of Bug #1260742 +++

Description of problem:

When using libreport-plugin-reportuploader, looks like CURL requires the public SSH key even if there is no need for it.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Configure libreport-plugin-reportuploader to scp dumps with ssh keys
2. Configure only the private key
3. Kaboom

Actual results:

Locked '.lock'
Compressing data
Unlocked '/var/spool/abrt/ccpp-2015-09-07-11:03:58-234464/.lock'
Sending /tmp/ccpp-2015-09-07-11:03:58-234464.tar.gz to use-abrt1.ops.rhcloud.com/var/spool/abrt-upload/
curl: About to connect() to use-abrt1.ops.rhcloud.com port 22 (#0)

curl:   Trying 
curl: connected

curl: Connected to use-abrt1.ops.rhcloud.com ( port 22 (#0)

curl: SSH MD5 fingerprint: 5ffc40458bdae829212e0a1f6e91fdd4

curl: SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic

curl: Using ssh public key file /root/.ssh/id_dsa.pub

curl: Using ssh private key file /root/.ssh/id_dsa

curl: SSH public key authentication failed: Unable to open public key file

curl: Authentication failure

curl: Closing connection #0

curl_easy_perform: error 67
curl_easy_perform: error_msg: curl_easy_perform: Login denied
Error while uploading: 'curl_easy_perform: Login denied'

Expected results:

The upload should be done even without the public key.

--- Additional comment from Jakub Filak on 2015-10-22 10:49:26 CEST ---

It looks like that curl tries really hard to set the path to public key and I am afraid that it is not possible to prevent libcurl from doing so:


      home = curl_getenv("HOME");                                                
        sshc->rsa_pub = aprintf("%s", data->set.str[STRING_SSH_PUBLIC_KEY]);     
      else if(home)                                                              
        sshc->rsa_pub = aprintf("%s/.ssh/id_dsa.pub", home);                     
        /* as a final resort, try current dir! */                                
        sshc->rsa_pub = strdup("id_dsa.pub"); 

libreport does not explicitly specify the public key path, so libcurl should not use it:


        if(data->set.str[STRING_SSH_PUBLIC_KEY]) {                               
          sshc->rsa_pub = strdup(data->set.str[STRING_SSH_PUBLIC_KEY]);          
            out_of_memory = TRUE;                                                

--- Additional comment from Kamil Dudka on 2015-10-27 11:48:28 CET ---

We need the following upstream patch, which is not yet included in RHEL-7:


Comment 8 errata-xmlrpc 2016-11-03 17:44:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.