[Twisted-Python] conch problem with ecdsa-sha2-nistp256 host key?
Glyph Lefkowitz
glyph at twistedmatrix.com
Wed Dec 21 17:46:34 MST 2016
> On Dec 20, 2016, at 7:32 PM, Craig Rodrigues <rodrigc at crodrigues.org> wrote:
>
> On Tue, Dec 20, 2016 at 6:24 PM, Glyph Lefkowitz <glyph at twistedmatrix.com <mailto:glyph at twistedmatrix.com>> wrote:
>
>
>
> So... is this because buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> has an RSA key as well, and when it offers it, our checking isn't correctly comparing the type before deciding that it doesn't match, or allowing for multiple keys? I notice that if I manually add the RSA key and delete the ECDSA key it seems to work.
>
> -g
>
>
>
> Yes, that is part of it.
> What is happening is that the conch client sends a MSG_KEXINIT
> packet to the server to negotatiate what the host key should be.
> If I use an OpenSSH ssh client to connect to OpenSSH sshd server,
> the negotiated host key algorithm is ecdsa-sha2-nistp256.
>
> If I use a conch client to connect to the OpenSSH sshd server,
> the negotiated host key algorithm is ssh-rsa.
>
> I started a test instance of the sshd server with:
>
> /usr/sbin/sshd -p 9000 -d -d -d
>
> and captured the logs (see attached).
>
> I think some problems are:
> (1) conch proposes a list of host key algorithms in a different order than
> OpenSSH. It shouldn't matter, but conch proposes ssh-rsa first,
> while OpenSSH proposes it last.
> (2) OpenSSH client seems to be able to receive multiple host keys back
> from the server, and can match the one it has.
Can you file a new ticket for each of these? The ordering thing seems super low priority, but not being able to receive multiple host keys is definitely a spec violation.
Thanks for figuring it out,
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20161221/2adc0b43/attachment-0002.html>
More information about the Twisted-Python
mailing list