Opened 6 years ago
Closed 14 months ago
#5350 defect closed duplicate (duplicate)
Elliptic Curve cryptography for public key authentication
| Reported by: | termim | Owned by: | z3p |
|---|---|---|---|
| Priority: | highest | Milestone: | |
| Component: | conch | Keywords: | ssh |
| Cc: | z3p, Thijs Triemstra, Maykel Moya | Branch: |
branches/ecdsa-keys-5350-1
branch-diff, diff-cov, branch-cov, buildbot |
| Author: | z3p |
Description
Once I connect to some host that supplies its public key in ecdsa I can't use twisted's conch.ssh anymore. It always raises BadKeyError:
2011-11-01 13:35:46-0400 [-] Log opened.
2011-11-01 13:35:46-0400 [-] Starting factory <twisted.conch.client.direct.SSHClientFactory instance at 0x105bf80>
2011-11-01 13:35:46-0400 [SSHClientTransport,client] kex alg, key alg: diffie-hellman-group-exchange-sha1 ssh-rsa
2011-11-01 13:35:46-0400 [SSHClientTransport,client] outgoing: aes256-cbc hmac-sha1 none
2011-11-01 13:35:46-0400 [SSHClientTransport,client] incoming: aes256-cbc hmac-sha1 none
2011-11-01 13:35:47-0400 [SSHClientTransport,client] Unhandled Error
Traceback (most recent call last):
File "/usr/lib64/python2.7/site-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib64/python2.7/site-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib64/python2.7/site-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib64/python2.7/site-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/lib64/python2.7/site-packages/twisted/internet/selectreactor.py", line 146, in _doReadOrWrite
why = getattr(selectable, method)()
File "/usr/lib64/python2.7/site-packages/twisted/internet/tcp.py", line 460, in doRead
rval = self.protocol.dataReceived(data)
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/transport.py", line 438, in dataReceived
self.dispatchMessage(messageNum, packet[1:])
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/transport.py", line 453, in dispatchMessage
f(payload)
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/transport.py", line 1182, in ssh_KEX_DH_GEX_REPLY
d = self.verifyHostKey(pubKey, fingerprint)
File "/usr/lib64/python2.7/site-packages/twisted/conch/client/direct.py", line 87, in verifyHostKey
fingerprint)
File "/usr/lib64/python2.7/site-packages/twisted/conch/client/default.py", line 74, in verifyHostKey
or os.path.expanduser("~/.ssh/known_hosts")
File "/usr/lib64/python2.7/site-packages/twisted/conch/client/knownhosts.py", line 417, in fromPath
entry = HashedEntry.fromString(line)
File "/usr/lib64/python2.7/site-packages/twisted/conch/client/knownhosts.py", line 253, in fromString
stuff, keyType, key, comment = _extractCommon(string)
File "/usr/lib64/python2.7/site-packages/twisted/conch/client/knownhosts.py", line 59, in _extractCommon
key = Key.fromString(keyString.decode('base64'))
File "/usr/lib64/python2.7/site-packages/twisted/conch/ssh/keys.py", line 81, in fromString
raise BadKeyError('cannot guess the type of %r' % data)
twisted.conch.ssh.keys.BadKeyError: cannot guess the type of '\x00\x00\x00\x13ecdsa-sha2-nistp256\x00\x00\x00\x08nistp256\x00\x00\x00A\x04j\x82Z\x88v\xad\xf9\xa3\xc4\x94\x19\xff\xc5\x81\x0e6\x7f\xaf\xce\xf5\xbbC\x1d\x8f\x99l\x99=\x95\xc9\x1f\x1e{\xb0\xb7:Z\x9fh7\x91\xa8lf\x03\xc2`x\x05\x1a\xadqV\x0f|\xa7 `2\x80\xda\x0f\x8e\x11'
2011-11-01 13:35:47-0400 [SSHClientTransport,client] connection lost
2011-11-01 13:35:47-0400 [SSHClientTransport,client] Stopping factory <twisted.conch.client.direct.SSHClientFactory instance at 0x105bf80>
Attachments (3)
Change History (20)
comment:1 Changed 6 years ago by
| Cc: | z3p added |
|---|
comment:2 Changed 6 years ago by
| Milestone: | regular-releases |
|---|
comment:3 follow-up: 4 Changed 6 years ago by
I filed #5530 recently, which may be related (or possibly a duplicate)
comment:4 Changed 6 years ago by
| Cc: | Thijs Triemstra added |
|---|
Attached test script generates a ValueError on an ECDSA private key:
$ ssh-keygen -b 521 -t ecdsa -f id_ecdsa_conch -N qwerty Generating public/private ecdsa key pair. Your identification has been saved in id_ecdsa_conch. Your public key has been saved in id_ecdsa_conch.pub. The key fingerprint is: 9c:36:91:fd:d5:f9:ee:92:55:65:49:3d:0a:d6:2a:8c The key's randomart image is: +--[ECDSA 521]---+ | . ..o| | o o . +=| | = o o oo+| | E = o o o| | S . . o| | . . ..| | o.| | o. | | ..| +-----------------+ $ python ecdsa.py id_ecdsa_conch qwerty
Traceback (most recent call last): File "ecdsa.py", line 13, in <module> key = Key.fromFile(fn, passphrase=phrase) File "/home/thijs/workspaces/opensource/software/twisted/svn/Twisted/trunk/twisted/conch/ssh/keys.py", line 62, in fromFile return Class.fromString(file(filename, 'rb').read(), type, passphrase) File "/home/thijs/workspaces/opensource/software/twisted/svn/Twisted/trunk/twisted/conch/ssh/keys.py", line 90, in fromString return method(data, passphrase) File "/home/thijs/workspaces/opensource/software/twisted/svn/Twisted/trunk/twisted/conch/ssh/keys.py", line 216, in _fromString_PRIVATE_OPENSSH keyData = DES3.new(decKey, DES3.MODE_CBC, iv).decrypt(b64Data) ValueError: IV must be 8 bytes long
Replying to cyli:
I filed #5530 recently, which may be related (or possibly a duplicate)
Can you try the attached script with your key?
comment:5 Changed 6 years ago by
Actually there are two bugs here
- missing support for ecdsa keys
- bug when reading knownhosts file
For the second a simpler one case I've opened another ticket #5616 (with a patch attached).
comment:6 Changed 6 years ago by
Can you attach an ECDSA key? I couldn't create one on OS X or on Debian.
comment:7 Changed 6 years ago by
| Owner: | set to z3p |
|---|
Attached the keys, generated like described in comment 4.
comment:8 Changed 6 years ago by
| Author: | → z3p |
|---|---|
| Branch: | → branches/ecdsa-keys-5350 |
(In [34683]) Branching to 'ecdsa-keys-5350'
comment:10 Changed 6 years ago by
| Status: | new → assigned |
|---|
Unfortunately at the moment, PyCrypto doesn't support ECDSA keys. I'm going to do some reading, though, and look into implementing it.
comment:11 Changed 5 years ago by
Does this key have a passphrase I can use? Alternatively, can you generate one which isn't encrypted?
comment:12 Changed 5 years ago by
Nevermind, I'm an idiot. It's in the command you generated it with.
comment:13 Changed 5 years ago by
| Branch: | branches/ecdsa-keys-5350 → branches/ecdsa-keys-5350-1 |
|---|
(In [34703]) Branching to 'ecdsa-keys-5350-1'
comment:14 Changed 5 years ago by
| Cc: | Maykel Moya added |
|---|
comment:15 Changed 4 years ago by
Hello, given the age of this report, would it be possible to catch this Exception in twisted.conch.ssh.userauth so that we refuse the key ?
This would prevent an unsupported key proposal to break the negociation process and proceed further to password auth, waiting for a better fix. Thanks!
comment:16 Changed 4 years ago by
Hello, given the age of this report, would it be possible to catch this Exception in twisted.conch.ssh.userauth so that we refuse the key ? This would prevent an unsupported key proposal to break the negociation process and proceed further to password auth, waiting for a better fix. Thanks!
Already done, I think: #5616. If you still have this problem with Twisted 12.1 or newer, please file a ticket explaining what's up. Thanks!
comment:17 Changed 14 months ago by
| Resolution: | → duplicate |
|---|---|
| Status: | assigned → closed |
The regular-releases milestone is for release automation related tasks.