[Twisted-Python] conch problem with ecdsa-sha2-nistp256 host key?

Glyph Lefkowitz glyph at twistedmatrix.com
Tue Dec 20 19:24:04 MST 2016 

> On Dec 20, 2016, at 5:50 PM, Craig Rodrigues <rodrigc at crodrigues.org> wrote:
> 
> Ah, OK.  In my testing, I had this in my server's /etc/ssh/sshd_config file to force
> use of ECDSA keys during my testing:
> 
> 
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> HostKey /etc/ssh/ssh_host_ed25519_key
> 
> 
> If I then logged into the server with:
>  conch 192.168.1.2
> 
> , then having an ecdsa key in ~/.ssh/known_hosts
> worked fine and I could log in.  Before the latest patches, the ecdsa keys were not
> being parsed properly and this never worked at all.
> 
> If I changed the config on the server to:
> 
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
> 
> I got a bad host key error with conch, same as if I tried to log into buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>.
> I put this:
> 
> import pudb; pudb.set_trace()
> 
> on this line inside _continue_KEX_ECDH_REPLY() :
> https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671 <https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671>
Did you mean https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c2dd7/src/twisted/conch/ssh/transport.py#L1674 <https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c2dd7/src/twisted/conch/ssh/transport.py#L1674> ?

> What I then found was that on this line:
> 
> hostkey, pubKey, signature, packet = getNS(packet, 3)
> 
> 
> The host key is an RSA key.  Then this line in the same function:
>  d = self.verifyHostKey(hostKey, fingerprint)
> 
> tries to compare the hostKey for 192.168.1.2 (which is RSA), against
> the key in ~/.ssh/known_hosts which is ecdsa.  It then fails and returns a bad host key error.
> 
> I also get this problem when trying to do conch buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>
So... is this because buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> has an RSA key as well, and when it offers it, our checking isn't correctly comparing the type before deciding that it doesn't match, or allowing for multiple keys?  I notice that if I manually add the RSA key and delete the ECDSA key it seems to work.

-g

> --
> Craig
> 
> 
> On Tue, Dec 20, 2016 at 5:13 PM, Glyph Lefkowitz <glyph at twistedmatrix.com <mailto:glyph at twistedmatrix.com>> wrote:
> Here's buildbot's key:
> 
> buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcw4pr6WdgDMw7PbkvsuEdCqKQTtpLYPGoe7qkuQucuexYBiCkO/BeoB0wANX2cVmxUP0llpYJQL4w3cAR0csA=
> 
> I think you should be able to validate that even if you can't auth :)
> 
> -g
> 
> 
>> On Dec 20, 2016, at 4:54 PM, Craig Rodrigues <rodrigc at crodrigues.org <mailto:rodrigc at crodrigues.org>> wrote:
>> 
>> I'm not sure. I was able to use conch to log into a box where the ecdsa key looked like this in my ~/.ssh/known_hosts
>> 
>> 192.168.1.2 ecdsa-sha2-nistp256 XXXXXXXXXX
>> 
>> --
>> 
>> Craig
>> 
>> 
>> 
>> 
>> On Tue, Dec 20, 2016 at 4:10 PM, Glyph Lefkowitz <glyph at twistedmatrix.com <mailto:glyph at twistedmatrix.com>> wrote:
>> It works:
>> 
>> $ conch twistedmatrix.com <http://twistedmatrix.com/> echo hooray
>> hooray
>>       $ conch --version
>> Twisted version: 16.6.0dev0
>> $ 
>> 
>> That's using an RSA host key though.  It seems that the hosts I have using ECDSA keys (buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>, for example) still don't work with conch.  Is that expected at this point?
>> 
>> -glyph
>> 
>>> On Dec 20, 2016, at 2:32 PM, Craig Rodrigues <rodrigc at crodrigues.org <mailto:rodrigc at crodrigues.org>> wrote:
>>> 
>>> On Friday, December 2, 2016, Glyph Lefkowitz <glyph at twistedmatrix.com <mailto:glyph at twistedmatrix.com>> wrote:
>>> I think there might be a regression in 16.6.0.
>>> 
>>> For every version up to 16.6.0, I can do 'conch twistedmatrix.com <http://twistedmatrix.com/>' in a shell and it works fine.
>>> 
>>> I believe that I have fixed this in trunk.
>>> Can you try this with conch in trunk?
>>> 
>>> This works for me in trunk:
>>> 
>>> 1.  Start with an empty ~/.ssh/known_hosts file , or one with an ecdsa key for myhost.com <http://myhost.com/>
>>> 2.  ssh myhost.com <http://myhost.com/>
>>> 3.  log out of myhost.com <http://myhost.com/>
>>> 3.  see that ~/.ssh/known_hosts contains an ecdsa host key for myhost.com <http://myhost.com/>
>>> 4.  conch myhost.com <http://myhost.com/>
>>> 5.  successfully log into myhost.com <http://myhost.com/> with conch
>>> 
>>> Before the latest fixes, I would get a bad host key error in step 5.
>>> 
>>> Many thanks to the0id and acabhishek942 for providing the ecdsa fixes to conch.
>>> 
>>> --
>>> Craig
>>>  
>>> _______________________________________________
>>> Twisted-Python mailing list
>>> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
>>> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
>> 
>> 
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
>> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
>> 
>> 
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
>> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
> 
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
> 
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161220/24306d95/attachment-0002.html>

More information about the Twisted-Python mailing list