Bug 1824926 - curl with SFTP fails to verify known hosts entry for ECDSA keys
Summary: curl with SFTP fails to verify known hosts entry for ECDSA keys
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: curl
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-16 16:47 UTC by Anderson Sasaki
Modified: 2020-04-28 02:30 UTC (History)
5 users (show)

Fixed In Version: curl-7.69.1-3.fc33 curl-7.69.1-3.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 02:30:52 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github curl curl issues 5252 None closed curl with SFTP fails to verify ECDSA keys present in known hosts files 2020-04-22 13:13:47 UTC

Description Anderson Sasaki 2020-04-16 16:47:08 UTC
Description of problem:
When the server uses an ECDSA key, curl fails to verify it's entry in the known hosts file when accessing using SFTP.

Version-Release number of selected component (if applicable):
curl-7.69.1-1.f32

How reproducible:
100%

Steps to Reproduce:

1. Create an ECDSA key pair for the SSH server:

# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''

2. Authorize the user key to access the SSH server (assuming the user has an RSA key):

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

3. Add the entry to the known_hosts file

$ echo 'localhost $(cat "/etc/ssh/ssh_host_ecdsa_key.pub")' >> ~/.ssh/known_hosts

4. Create a file to download:

$ dd if=/dev/zero of=~/testfile bs=1M count=1

5. Restart SSH server

$ systemctl restart sshd

6. Download using curl and SFTP

$ curl -o ./sftp_file -u testuser: --key ~/.ssh/id_rsa \
  --pubkey ~/.ssh/id_rsa.pub sftp://localhost/home/$(whoami)/testfile

Actual results:
curl: (60) SSL peer certificate or SSH remote key was not OK

Expected results:
No errors and the file is downloaded correctly.

Additional info:
Using RSA, ED25519, or DSA keys no error is generated and the download is successful

Comment 1 Kamil Dudka 2020-04-17 15:40:24 UTC
Anderson, thank you for creating the pull request upstream!

Comment 2 Kamil Dudka 2020-04-18 06:31:10 UTC
upstream commit: https://github.com/curl/curl/commit/14bf7eb6

Comment 3 Kamil Dudka 2020-04-20 09:48:47 UTC
dist-git commit: https://src.fedoraproject.org/rpms/curl/c/6a752013

Comment 4 Fedora Update System 2020-04-20 10:21:08 UTC
FEDORA-2020-e763186d31 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e763186d31

Comment 5 Fedora Update System 2020-04-20 16:18:49 UTC
FEDORA-2020-e763186d31 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e763186d31`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e763186d31

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-04-28 02:30:52 UTC
FEDORA-2020-e763186d31 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.