On 2/14/14, 2:41 PM, Alan Dunn wrote: > For what it's worth, the attached patch should at fix the missing > option (and remove some duplication in the key option code). > > However, when patching samplesshd to use an ECDSA key, however, I get > "ssh_handle_key_exchange: Could not get the public key from the > private key". I suspect this is because if you look in pki_key_dup in > pki_crypto.c it does not set a private key's ecdsa_nid, then the key > is duplicated in bind.c (in ssh_bind_accept_fd), and then later > pki_key_dup expects ecdsa_nid to be set in "demotion to a public key". > However, correcting this, I then get a signature failure on the > client end during a (ECDH) key exchange (using an OpenSSH client).
Interesting timing -- FWIW, I had the exact same experience yesterday, getting a little further with the fix to pki_key_dup, but ultimately hit failure for an OpenSSH to validate the ECDSA signature sent back by libssh. My experience with ECDSA client keys so far has been good -- signature validation seems to work for me in that path. I'd guess this is a bug specific to the host key paths. -Jon
