[Twisted-Python] conch problem with ecdsa-sha2-nistp256 host key?

Fri Dec 2 01:19:42 MST 2016

> On Dec 1, 2016, at 7:01 PM, Mark Williams <markrwilliams at gmail.com> wrote:
> 
> On Thu, Dec 01, 2016 at 05:11:37PM -0800, Craig Rodrigues wrote:
>> Hi,
>> 
>> I filed this bug:
>> https://twistedmatrix.com/trac/ticket/8931
>> 
>> At least for me, conch fails to parse a host key created by OpenSSH
>> in ~/.ssh/known_hosts
>> which is of type ecdsa-sha2-nistp256.
>> 
>> Anyone have an idea as to how to fix this?
>> 
> 
> As usual you've found a fantastically interesting issue.
> 
> This is conch, the client, right?  I'm guessing so because
> ~/.ssh/known_hosts contains the servers the ssh client trusts.
> (Specifically, among other things it contains a hostname and that
> host's sshd server's public key fingerprint).
> 
> If it is conch, the-client, then deleting the offending entry from
> ~/.ssh/known_hosts and getting a new one makes sense.  That's because
> sshd usually generates a couple of different keys in case clients
> don't support the latest and greatest technology.
> 
> I think deleting the entry in ~/.ssh/known_hosts allows conch to ask
> the server for a different key that it *can* understand.  You should
> be able to find out which server key conch negotiated by doing thing
> following after deleting the offending ~/.ssh/known_hosts entry:
> 
> (<hostname is the problematic OS X server>)
> $ ssh-keygen -H -F <hostname> | awk '{ print $NF }'
> dGhpcyBpcyB2ZXJ5IHZlcnkgdmVyeSB2ZXJ5IHZlcnkgbG9uZyBob3N0IGtleQ==
> 
> Then on the OS X server, grep for that in /etc/ssh/*.pub
> 
> I bet the key negotiated by conch is not an ECDSA key but rather an
> RSA key.  If this is all the case, then I think you've found a key
> that LibreSSL supports but your client's libssl (which conch calls
> into via cryptography) does not.  What version of libssl do you have?
> 
> If any of this is helpful or relevant I'll ask more questions in the
> ticket.

I think there might be a regression in 16.6.0.

For every version up to 16.6.0, I can do 'conch twistedmatrix.com' in a shell and it works fine.

On 16.6.0, I get:

Connection to twistedmatrix.com closed.
conch: exiting with error [Failure instance: Traceback (failure with no frames): <class 'twisted.conch.error.ConchError'>: ('bad host key', 9)
]

instead.

Worth noting: the keys I have for twistedmatrix.com are RSA keys.

What did we add recently that changes key parsing?

-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161202/c791a91e/attachment-0002.html>