[Twisted-Python] conch problem with ecdsa-sha2-nistp256 host key?

Craig Rodrigues rodrigc at crodrigues.org
Tue Dec 20 18:50:59 MST 2016 

Ah, OK.  In my testing, I had this in my server's /etc/ssh/sshd_config file
to force
use of ECDSA keys during my testing:


# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key


If I then logged into the server with:
 *conch 192.168.1.2*

, then having an ecdsa key in ~/.ssh/known_hosts
worked fine and I could log in.  Before the latest patches, the ecdsa keys
were not
being parsed properly and this never worked at all.

If I changed the config on the server to:

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

I got a bad host key error with conch, same as if I tried to log into
buildbot.twistedmatrix.com.
I put this:

import pudb; pudb.set_trace()

on this line inside *_continue_KEX_ECDH_REPLY()* :
https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671

What I then found was that on this line:

hostkey, pubKey, signature, packet = getNS(packet, 3)


The host key is an RSA key.  Then this line in the same function:

 d = self.verifyHostKey(hostKey, fingerprint)
tries to compare the hostKey for 192.168.1.2 (which is RSA), against
the key in ~/.ssh/known_hosts which is ecdsa.  It then fails and returns a
bad host key error.

I also get this problem when trying to do *conch buildbot.twistedmatrix.com
<http://buildbot.twistedmatrix.com>*


--
Craig


On Tue, Dec 20, 2016 at 5:13 PM, Glyph Lefkowitz <glyph at twistedmatrix.com>
wrote:

> Here's buildbot's key:
>
> buildbot.twistedmatrix.com ecdsa-sha2-nistp256
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcw4pr6
> WdgDMw7PbkvsuEdCqKQTtpLYPGoe7qkuQucuexYBiCkO/
> BeoB0wANX2cVmxUP0llpYJQL4w3cAR0csA=
>
> I think you should be able to validate that even if you can't auth :)
>
> -g
>
>
> On Dec 20, 2016, at 4:54 PM, Craig Rodrigues <rodrigc at crodrigues.org>
> wrote:
>
> I'm not sure. I was able to use conch to log into a box where the ecdsa
> key looked like this in my ~/.ssh/known_hosts
>
> 192.168.1.2 ecdsa-sha2-nistp256 XXXXXXXXXX
>
> --
>
> Craig
>
>
>
> On Tue, Dec 20, 2016 at 4:10 PM, Glyph Lefkowitz <glyph at twistedmatrix.com>
> wrote:
>
>> It works:
>>
>> $ conch twistedmatrix.com echo hooray
>> hooray
>>       $ conch --version
>> Twisted version: 16.6.0dev0
>> $
>>
>>
>> That's using an RSA host key though.  It seems that the hosts I have
>> using ECDSA keys (buildbot.twistedmatrix.com, for example) still don't
>> work with conch.  Is that expected at this point?
>>
>> -glyph
>>
>> On Dec 20, 2016, at 2:32 PM, Craig Rodrigues <rodrigc at crodrigues.org>
>> wrote:
>>
>> On Friday, December 2, 2016, Glyph Lefkowitz <glyph at twistedmatrix.com>
>> wrote:
>>>
>>> I think there might be a regression in 16.6.0.
>>>
>>> For every version up to 16.6.0, I can do 'conch twistedmatrix.com' in a
>>> shell and it works fine.
>>>
>>
>> I believe that I have fixed this in trunk.
>> Can you try this with conch in trunk?
>>
>> This works for me in trunk:
>>
>> 1.  Start with an empty ~/.ssh/known_hosts file , or one with an ecdsa
>> key for myhost.com
>> 2.  ssh myhost.com
>> 3.  log out of myhost.com
>> 3.  see that ~/.ssh/known_hosts contains an ecdsa host key for myhost.com
>> 4.  conch myhost.com
>> 5.  successfully log into myhost.com with conch
>>
>> Before the latest fixes, I would get a bad host key error in step 5.
>>
>> Many thanks to the0id and acabhishek942 for providing the ecdsa fixes to
>> conch.
>>
>> --
>> Craig
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
>>
>> _______________________________________________
>> Twisted-Python mailing list
>> Twisted-Python at twistedmatrix.com
>> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>>
>>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
>
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161220/23fdbc3d/attachment-0002.html>

More information about the Twisted-Python mailing list