Re: Problem verifying known host with ecdsa-sha2-nistp256

[Doug Judd <doug@xxxxxxxxxxxxxx>]

Here's the SSH_LOG_PACKET logging output (libssh build of master branch,
top commit is a48711ae7ef890c94e2a824afb899df385c406ee):

[localhost] ssh_connect: libssh 0.6.0 (c) 2003-2014 Aris Adamantiadis,
Andreas Schneider, and libssh contributors. Distributed under the LGPL,
please refer to COPYING file for information about your rights, using
threading threads_cpp
[localhost] ssh_connect: Socket connecting, now waiting for the callbacks
to work
[localhost] ssh_socket_pollcallback: Received POLLOUT in connecting state
[localhost] ssh_connect: current state : 2
[localhost] callback_receive_banner: Received banner: SSH-2.0-OpenSSH_6.2
[localhost] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[localhost] ssh_connect: current state : 4
[localhost] ssh_packet_socket_callback: packet: read type 20
[len=1540,padding=7,comp=1532,payload=1532]
[localhost] ssh_packet_process: Dispatching handler for packet type 20
[localhost] match_hashed_host: Matching a hashed host: localhost match=1
[localhost] ssh_knownhosts_algorithms: server localhost:22 has
ecdsa-sha2-nistp256 in known_hosts
[localhost] ssh_client_select_hostkeys: No supported kex method for
existing key in known_hosts file
[localhost] packet_send2: packet: wrote
[len=420,padding=6,comp=413,payload=413]
[localhost] packet_send2: packet: wrote
[len=268,padding=6,comp=261,payload=261]
[localhost] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[localhost] ssh_connect: current state : 6
[localhost] ssh_packet_socket_callback: packet: read type 31
[len=828,padding=7,comp=820,payload=820]
[localhost] ssh_packet_process: Dispatching handler for packet type 31
[localhost] ssh_packet_dh_reply: Received SSH_KEXDH_REPLY
[localhost] packet_send2: packet: wrote [len=12,padding=10,comp=1,payload=1]
[localhost] ssh_client_dh_reply: SSH_MSG_NEWKEYS sent
[localhost] ssh_packet_socket_callback: Processing 16 bytes left in socket
buffer
[localhost] ssh_packet_socket_callback: packet: read type 21
[len=12,padding=10,comp=1,payload=1]
[localhost] ssh_packet_process: Dispatching handler for packet type 21
[localhost] ssh_packet_newkeys: Received SSH_MSG_NEWKEYS
[localhost] crypt_set_algorithms2: Set output algorithm to aes256-ctr
[localhost] crypt_set_algorithms2: Set HMAC output algorithm to hmac-sha1
[localhost] crypt_set_algorithms2: Set input algorithm to aes256-ctr
[localhost] crypt_set_algorithms2: Set HMAC output algorithm to hmac-sha1
[localhost] ssh_packet_newkeys: Signature verified and valid
[localhost] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[localhost] ssh_connect: current state : 7
[localhost] match_hashed_host: Matching a hashed host: localhost match=1
[localhost] ssh_is_server_known: ssh_is_server_known: server type [ssh-rsa]
doesn't match the type [ecdsa-sha2-nistp256] in known_hosts file
[localhost] ERROR Key mis-match with one in known_hosts

On Sat, Oct 25, 2014 at 7:12 AM, Doug Judd <doug@xxxxxxxxxxxxxx> wrote:

> I'm running into a problem where ssh_server_is_known() is returning
> SSH_SERVER_FOUND_OTHER with a ecdsa-sha2-nistp256 key in the
> ~/.ssh/known_hosts file.  The server is a relatively modern AWS Linux
> machine.  When I ssh to localhost, a key of type ecdsa-sha2-nistp256 gets
> written into the ~/.ssh/known_hosts file.  From thereafter, I can ssh to
> localhost without it asking any questions.
>
> However, when I try to establish an ssh connection to localhost with my
> program written with libssh (both 0.6.3 and trunk), ssh_server_is_known()
> returns SSH_SERVER_FOUND_OTHER.  Stepping into this function, the key type
> check on this line:
>
>       /* We got a match. Now check the key type */
> =>    if (strcmp(session->current_crypto->server_pubkey_type, type) != 0)
> {
>           SSH_LOG(SSH_LOG_PACKET,
> fails.  The values for session->current_crypto->server_pubkey_type and
> type are as follows:
>
> (gdb)
> *p session->current_crypto->server_pubkey_type*$15 = 0x7ffff7bcb967
> "ssh-rsa"
> (gdb)
> *p type*$16 = 0x7fffe4007f6d "ecdsa-sha2-nistp256"
> Am I not setting up the session properly in my program, or is this a
> problem with libssh?
>
> - Doug
>
>


-- 
Doug Judd
CEO, Hypertable Inc.