On Dec 20, 2016, at 5:50 PM, Craig Rodrigues <rodrigc@crodrigues.org> wrote:
Ah, OK. In my testing, I had this in my server's /etc/ssh/sshd_config file to force use of ECDSA keys during my testing:
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key
If I then logged into the server with: conch 192.168.1.2
, then having an ecdsa key in ~/.ssh/known_hosts worked fine and I could log in. Before the latest patches, the ecdsa keys were not being parsed properly and this never worked at all.
If I changed the config on the server to:
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key
I got a bad host key error with conch, same as if I tried to log into buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>. I put this:
import pudb; pudb.set_trace()
on this line inside _continue_KEX_ECDH_REPLY() : https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transpor... <https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transpor...> Did you mean https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c... <https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c...> ?
What I then found was that on this line:
hostkey, pubKey, signature, packet = getNS(packet, 3)
The host key is an RSA key. Then this line in the same function: d = self.verifyHostKey(hostKey, fingerprint)
tries to compare the hostKey for 192.168.1.2 (which is RSA), against the key in ~/.ssh/known_hosts which is ecdsa. It then fails and returns a bad host key error.
I also get this problem when trying to do conch buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> So... is this because buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> has an RSA key as well, and when it offers it, our checking isn't correctly comparing the type before deciding that it doesn't match, or allowing for multiple keys? I notice that if I manually add the RSA key and delete the ECDSA key it seems to work.
-g
-- Craig
On Tue, Dec 20, 2016 at 5:13 PM, Glyph Lefkowitz <glyph@twistedmatrix.com <mailto:glyph@twistedmatrix.com>> wrote: Here's buildbot's key:
buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcw4pr6WdgDMw7PbkvsuEdCqKQTtpLYPGoe7qkuQucuexYBiCkO/BeoB0wANX2cVmxUP0llpYJQL4w3cAR0csA=
I think you should be able to validate that even if you can't auth :)
-g
On Dec 20, 2016, at 4:54 PM, Craig Rodrigues <rodrigc@crodrigues.org <mailto:rodrigc@crodrigues.org>> wrote:
I'm not sure. I was able to use conch to log into a box where the ecdsa key looked like this in my ~/.ssh/known_hosts
192.168.1.2 ecdsa-sha2-nistp256 XXXXXXXXXX
--
Craig
On Tue, Dec 20, 2016 at 4:10 PM, Glyph Lefkowitz <glyph@twistedmatrix.com <mailto:glyph@twistedmatrix.com>> wrote: It works:
$ conch twistedmatrix.com <http://twistedmatrix.com/> echo hooray hooray $ conch --version Twisted version: 16.6.0dev0 $
That's using an RSA host key though. It seems that the hosts I have using ECDSA keys (buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>, for example) still don't work with conch. Is that expected at this point?
-glyph
On Dec 20, 2016, at 2:32 PM, Craig Rodrigues <rodrigc@crodrigues.org <mailto:rodrigc@crodrigues.org>> wrote:
On Friday, December 2, 2016, Glyph Lefkowitz <glyph@twistedmatrix.com <mailto:glyph@twistedmatrix.com>> wrote: I think there might be a regression in 16.6.0.
For every version up to 16.6.0, I can do 'conch twistedmatrix.com <http://twistedmatrix.com/>' in a shell and it works fine.
I believe that I have fixed this in trunk. Can you try this with conch in trunk?
This works for me in trunk:
1. Start with an empty ~/.ssh/known_hosts file , or one with an ecdsa key for myhost.com <http://myhost.com/> 2. ssh myhost.com <http://myhost.com/> 3. log out of myhost.com <http://myhost.com/> 3. see that ~/.ssh/known_hosts contains an ecdsa host key for myhost.com <http://myhost.com/> 4. conch myhost.com <http://myhost.com/> 5. successfully log into myhost.com <http://myhost.com/> with conch
Before the latest fixes, I would get a bad host key error in step 5.
Many thanks to the0id and acabhishek942 for providing the ecdsa fixes to conch.
-- Craig
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python