1824926 – curl with SFTP fails to verify known hosts entry for ECDSA keys

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1824926 - curl with SFTP fails to verify known hosts entry for ECDSA keys

Summary: curl with SFTP fails to verify known hosts entry for ECDSA keys

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	curl
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kamil Dudka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-16 16:47 UTC by Anderson Sasaki
Modified:	2020-04-28 02:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:	curl-7.69.1-3.fc33 curl-7.69.1-3.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 02:30:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	curl curl issues 5252	0	None	closed	curl with SFTP fails to verify ECDSA keys present in known hosts files	2020-04-22 13:13:47 UTC

Description Anderson Sasaki 2020-04-16 16:47:08 UTC

Description of problem:
When the server uses an ECDSA key, curl fails to verify it's entry in the known hosts file when accessing using SFTP.

Version-Release number of selected component (if applicable):
curl-7.69.1-1.f32

How reproducible:
100%

Steps to Reproduce:

1. Create an ECDSA key pair for the SSH server:

# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''

2. Authorize the user key to access the SSH server (assuming the user has an RSA key):

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

3. Add the entry to the known_hosts file

$ echo 'localhost $(cat "/etc/ssh/ssh_host_ecdsa_key.pub")' >> ~/.ssh/known_hosts

4. Create a file to download:

$ dd if=/dev/zero of=~/testfile bs=1M count=1

5. Restart SSH server

$ systemctl restart sshd

6. Download using curl and SFTP

$ curl -o ./sftp_file -u testuser: --key ~/.ssh/id_rsa \
  --pubkey ~/.ssh/id_rsa.pub sftp://localhost/home/$(whoami)/testfile

Actual results:
curl: (60) SSL peer certificate or SSH remote key was not OK

Expected results:
No errors and the file is downloaded correctly.

Additional info:
Using RSA, ED25519, or DSA keys no error is generated and the download is successful

Comment 1 Kamil Dudka 2020-04-17 15:40:24 UTC

Anderson, thank you for creating the pull request upstream!

Comment 2 Kamil Dudka 2020-04-18 06:31:10 UTC

upstream commit: https://github.com/curl/curl/commit/14bf7eb6

Comment 3 Kamil Dudka 2020-04-20 09:48:47 UTC

dist-git commit: https://src.fedoraproject.org/rpms/curl/c/6a752013

Comment 4 Fedora Update System 2020-04-20 10:21:08 UTC

FEDORA-2020-e763186d31 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e763186d31

Comment 5 Fedora Update System 2020-04-20 16:18:49 UTC

FEDORA-2020-e763186d31 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e763186d31`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e763186d31

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-04-28 02:30:52 UTC

FEDORA-2020-e763186d31 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.