Ah, OK. In my testing, I had this in my server's /etc/ssh/sshd_config file to force use of ECDSA keys during my testing:
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key If I then logged into the server with: *conch 192.168.1.2* , then having an ecdsa key in ~/.ssh/known_hosts worked fine and I could log in. Before the latest patches, the ecdsa keys were not being parsed properly and this never worked at all. If I changed the config on the server to: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key I got a bad host key error with conch, same as if I tried to log into buildbot.twistedmatrix.com. I put this: import pudb; pudb.set_trace() on this line inside *_continue_KEX_ECDH_REPLY()* : https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671 What I then found was that on this line: hostkey, pubKey, signature, packet = getNS(packet, 3) The host key is an RSA key. Then this line in the same function: d = self.verifyHostKey(hostKey, fingerprint) tries to compare the hostKey for 192.168.1.2 (which is RSA), against the key in ~/.ssh/known_hosts which is ecdsa. It then fails and returns a bad host key error. I also get this problem when trying to do *conch buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com>* -- Craig On Tue, Dec 20, 2016 at 5:13 PM, Glyph Lefkowitz <gl...@twistedmatrix.com> wrote: > Here's buildbot's key: > > buildbot.twistedmatrix.com ecdsa-sha2-nistp256 > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcw4pr6 > WdgDMw7PbkvsuEdCqKQTtpLYPGoe7qkuQucuexYBiCkO/ > BeoB0wANX2cVmxUP0llpYJQL4w3cAR0csA= > > I think you should be able to validate that even if you can't auth :) > > -g > > > On Dec 20, 2016, at 4:54 PM, Craig Rodrigues <rodr...@crodrigues.org> > wrote: > > I'm not sure. I was able to use conch to log into a box where the ecdsa > key looked like this in my ~/.ssh/known_hosts > > 192.168.1.2 ecdsa-sha2-nistp256 XXXXXXXXXX > > -- > > Craig > > > > On Tue, Dec 20, 2016 at 4:10 PM, Glyph Lefkowitz <gl...@twistedmatrix.com> > wrote: > >> It works: >> >> $ conch twistedmatrix.com echo hooray >> hooray >> $ conch --version >> Twisted version: 16.6.0dev0 >> $ >> >> >> That's using an RSA host key though. It seems that the hosts I have >> using ECDSA keys (buildbot.twistedmatrix.com, for example) still don't >> work with conch. Is that expected at this point? >> >> -glyph >> >> On Dec 20, 2016, at 2:32 PM, Craig Rodrigues <rodr...@crodrigues.org> >> wrote: >> >> On Friday, December 2, 2016, Glyph Lefkowitz <gl...@twistedmatrix.com> >> wrote: >>> >>> I think there might be a regression in 16.6.0. >>> >>> For every version up to 16.6.0, I can do 'conch twistedmatrix.com' in a >>> shell and it works fine. >>> >> >> I believe that I have fixed this in trunk. >> Can you try this with conch in trunk? >> >> This works for me in trunk: >> >> 1. Start with an empty ~/.ssh/known_hosts file , or one with an ecdsa >> key for myhost.com >> 2. ssh myhost.com >> 3. log out of myhost.com >> 3. see that ~/.ssh/known_hosts contains an ecdsa host key for myhost.com >> 4. conch myhost.com >> 5. successfully log into myhost.com with conch >> >> Before the latest fixes, I would get a bad host key error in step 5. >> >> Many thanks to the0id and acabhishek942 for providing the ecdsa fixes to >> conch. >> >> -- >> Craig >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> >> >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com >> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> >> > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > > > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > >
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python