[Twisted-Python] conch problem with ecdsa-sha2-nistp256 host key?
Glyph Lefkowitz
glyph at twistedmatrix.com
Sat Dec 3 15:04:26 MST 2016
> On Dec 2, 2016, at 4:41 PM, Craig Rodrigues <rodrigc at crodrigues.org> wrote:
>
> Glyph,
>
> I took your fix, and added some fixes of my own for __repr__() printing of EC keys in this branch:
>
> https://github.com/twisted/twisted/pull/615 <https://github.com/twisted/twisted/pull/615>
>
>
> If I run the tests, I get a new failure:
>
>
> trial twisted.conch.test.test_keys.KeyTests.test_fromBlobECDSA
>
> Traceback (most recent call last):
> File "/Users/crodrigues/twisted_15/src/twisted/conch/test/test_keys.py", line 776, in test_fromBlobECDSA
> eckey = keys.Key.fromString(ecblob)
> File "/Users/crodrigues/twisted_15/src/twisted/conch/ssh/keys.py", line 197, in fromString
> return method(data)
> File "/Users/crodrigues/twisted_15/src/twisted/conch/ssh/keys.py", line 253, in _fromString_BLOB
> default_backend()))
> File "/Users/crodrigues/venv-3.6/lib/python3.6/site-packages/cryptography/hazmat/primitives/serialization.py", line 69, in load_ssh_public_key
> return loader(key_type, rest, backend)
> File "/Users/crodrigues/venv-3.6/lib/python3.6/site-packages/cryptography/hazmat/primitives/serialization.py", line 103, in _load_ssh_ecdsa_public_key
> 'Key header and key body contain different key type values.'
>
> builtins.ValueError: Key header and key body contain different key type values.
>
>
> Also, if I try to access my machine with:
> conch 192.168.1.2
>
> I see that in the matchesKey() function on this line:
> https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/client/knownhosts.py#L106 <https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/client/knownhosts.py#L106>
>
> self.publicKey is an EC key, while keyObject is an RSA key.
>
> Therefore this function always fails, and I cannot log into the box.
>
> Any ideas?
It looks like https://github.com/twisted/twisted/blob/e48500b94a3b3c751a4ccea36db95a45db8c34be/src/twisted/conch/client/knownhosts.py#L434-L446 isn't really geared towards the idea that there might be multiple entries for one host. The first step toward a fix would be to correct that algorithm to only fail if no matches are found, or to specifically check the key type before failing.
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161203/256adfc5/attachment-0002.html>
More information about the Twisted-Python
mailing list