[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem verifying known host with ecdsa-sha2-nistp256

Subject: Re: Problem verifying known host with ecdsa-sha2-nistp256
From: Doug Judd <doug@xxxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Sat, 25 Oct 2014 09:45:55 -0700
To: libssh@xxxxxxxxxx

It looks like this problem is due to and old version of openssl installed
on my build machine.

- Doug


On Sat, Oct 25, 2014 at 8:41 AM, Doug Judd <doug@xxxxxxxxxxxxxx> wrote:

> Here's the SSH_LOG_PACKET logging output (libssh build of master branch,
> top commit is a48711ae7ef890c94e2a824afb899df385c406ee):
>
> [localhost] ssh_connect: libssh 0.6.0 (c) 2003-2014 Aris Adamantiadis,
> Andreas Schneider, and libssh contributors. Distributed under the LGPL,
> please refer to COPYING file for information about your rights, using
> threading threads_cpp
> [localhost] ssh_connect: Socket connecting, now waiting for the callbacks
> to work
> [localhost] ssh_socket_pollcallback: Received POLLOUT in connecting state
> [localhost] ssh_connect: current state : 2
> [localhost] callback_receive_banner: Received banner: SSH-2.0-OpenSSH_6.2
> [localhost] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
> [localhost] ssh_connect: current state : 4
> [localhost] ssh_packet_socket_callback: packet: read type 20
> [len=1540,padding=7,comp=1532,payload=1532]
> [localhost] ssh_packet_process: Dispatching handler for packet type 20
> [localhost] match_hashed_host: Matching a hashed host: localhost match=1
> [localhost] ssh_knownhosts_algorithms: server localhost:22 has
> ecdsa-sha2-nistp256 in known_hosts
> [localhost] ssh_client_select_hostkeys: No supported kex method for
> existing key in known_hosts file
> [localhost] packet_send2: packet: wrote
> [len=420,padding=6,comp=413,payload=413]
> [localhost] packet_send2: packet: wrote
> [len=268,padding=6,comp=261,payload=261]
> [localhost] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
> [localhost] ssh_connect: current state : 6
> [localhost] ssh_packet_socket_callback: packet: read type 31
> [len=828,padding=7,comp=820,payload=820]
> [localhost] ssh_packet_process: Dispatching handler for packet type 31
> [localhost] ssh_packet_dh_reply: Received SSH_KEXDH_REPLY
> [localhost] packet_send2: packet: wrote
> [len=12,padding=10,comp=1,payload=1]
> [localhost] ssh_client_dh_reply: SSH_MSG_NEWKEYS sent
> [localhost] ssh_packet_socket_callback: Processing 16 bytes left in socket
> buffer
> [localhost] ssh_packet_socket_callback: packet: read type 21
> [len=12,padding=10,comp=1,payload=1]
> [localhost] ssh_packet_process: Dispatching handler for packet type 21
> [localhost] ssh_packet_newkeys: Received SSH_MSG_NEWKEYS
> [localhost] crypt_set_algorithms2: Set output algorithm to aes256-ctr
> [localhost] crypt_set_algorithms2: Set HMAC output algorithm to hmac-sha1
> [localhost] crypt_set_algorithms2: Set input algorithm to aes256-ctr
> [localhost] crypt_set_algorithms2: Set HMAC output algorithm to hmac-sha1
> [localhost] ssh_packet_newkeys: Signature verified and valid
> [localhost] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
> [localhost] ssh_connect: current state : 7
> [localhost] match_hashed_host: Matching a hashed host: localhost match=1
> [localhost] ssh_is_server_known: ssh_is_server_known: server type
> [ssh-rsa] doesn't match the type [ecdsa-sha2-nistp256] in known_hosts file
> [localhost] ERROR Key mis-match with one in known_hosts
>
> On Sat, Oct 25, 2014 at 7:12 AM, Doug Judd <doug@xxxxxxxxxxxxxx> wrote:
>
>> I'm running into a problem where ssh_server_is_known() is returning
>> SSH_SERVER_FOUND_OTHER with a ecdsa-sha2-nistp256 key in the
>> ~/.ssh/known_hosts file.  The server is a relatively modern AWS Linux
>> machine.  When I ssh to localhost, a key of type ecdsa-sha2-nistp256 gets
>> written into the ~/.ssh/known_hosts file.  From thereafter, I can ssh to
>> localhost without it asking any questions.
>>
>> However, when I try to establish an ssh connection to localhost with my
>> program written with libssh (both 0.6.3 and trunk), ssh_server_is_known()
>> returns SSH_SERVER_FOUND_OTHER.  Stepping into this function, the key type
>> check on this line:
>>
>>       /* We got a match. Now check the key type */
>> =>    if (strcmp(session->current_crypto->server_pubkey_type, type) !=
>> 0) {
>>           SSH_LOG(SSH_LOG_PACKET,
>> fails.  The values for session->current_crypto->server_pubkey_type and
>> type are as follows:
>>
>> (gdb)
>> *p session->current_crypto->server_pubkey_type*$15 = 0x7ffff7bcb967
>> "ssh-rsa"
>> (gdb)
>> *p type*$16 = 0x7fffe4007f6d "ecdsa-sha2-nistp256"
>> Am I not setting up the session properly in my program, or is this a
>> problem with libssh?
>>
>> - Doug
>>
>>
>
>
> --
> Doug Judd
> CEO, Hypertable Inc.
>



-- 
Doug Judd
CEO, Hypertable Inc.

References:
Problem verifying known host with ecdsa-sha2-nistp256	Doug Judd <doug@xxxxxxxxxxxxxx>
Re: Problem verifying known host with ecdsa-sha2-nistp256	Doug Judd <doug@xxxxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org