> On Dec 20, 2016, at 5:50 PM, Craig Rodrigues <rodr...@crodrigues.org> wrote: > > Ah, OK. In my testing, I had this in my server's /etc/ssh/sshd_config file > to force > use of ECDSA keys during my testing: > > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > HostKey /etc/ssh/ssh_host_ecdsa_key > HostKey /etc/ssh/ssh_host_ed25519_key > > > If I then logged into the server with: > conch 192.168.1.2 > > , then having an ecdsa key in ~/.ssh/known_hosts > worked fine and I could log in. Before the latest patches, the ecdsa keys > were not > being parsed properly and this never worked at all. > > If I changed the config on the server to: > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > #HostKey /etc/ssh/ssh_host_ecdsa_key > #HostKey /etc/ssh/ssh_host_ed25519_key > > I got a bad host key error with conch, same as if I tried to log into > buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>. > I put this: > > import pudb; pudb.set_trace() > > on this line inside _continue_KEX_ECDH_REPLY() : > https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671 > > <https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L1671> Did you mean https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c2dd7/src/twisted/conch/ssh/transport.py#L1674 <https://github.com/twisted/twisted/blob/71643ca93e024d33dba8de9eef149876554c2dd7/src/twisted/conch/ssh/transport.py#L1674> ?
> What I then found was that on this line: > > hostkey, pubKey, signature, packet = getNS(packet, 3) > > > The host key is an RSA key. Then this line in the same function: > d = self.verifyHostKey(hostKey, fingerprint) > > tries to compare the hostKey for 192.168.1.2 (which is RSA), against > the key in ~/.ssh/known_hosts which is ecdsa. It then fails and returns a > bad host key error. > > I also get this problem when trying to do conch buildbot.twistedmatrix.com > <http://buildbot.twistedmatrix.com/> So... is this because buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> has an RSA key as well, and when it offers it, our checking isn't correctly comparing the type before deciding that it doesn't match, or allowing for multiple keys? I notice that if I manually add the RSA key and delete the ECDSA key it seems to work. -g > -- > Craig > > > On Tue, Dec 20, 2016 at 5:13 PM, Glyph Lefkowitz <gl...@twistedmatrix.com > <mailto:gl...@twistedmatrix.com>> wrote: > Here's buildbot's key: > > buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/> > ecdsa-sha2-nistp256 > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcw4pr6WdgDMw7PbkvsuEdCqKQTtpLYPGoe7qkuQucuexYBiCkO/BeoB0wANX2cVmxUP0llpYJQL4w3cAR0csA= > > I think you should be able to validate that even if you can't auth :) > > -g > > >> On Dec 20, 2016, at 4:54 PM, Craig Rodrigues <rodr...@crodrigues.org >> <mailto:rodr...@crodrigues.org>> wrote: >> >> I'm not sure. I was able to use conch to log into a box where the ecdsa key >> looked like this in my ~/.ssh/known_hosts >> >> 192.168.1.2 ecdsa-sha2-nistp256 XXXXXXXXXX >> >> -- >> >> Craig >> >> >> >> >> On Tue, Dec 20, 2016 at 4:10 PM, Glyph Lefkowitz <gl...@twistedmatrix.com >> <mailto:gl...@twistedmatrix.com>> wrote: >> It works: >> >> $ conch twistedmatrix.com <http://twistedmatrix.com/> echo hooray >> hooray >> $ conch --version >> Twisted version: 16.6.0dev0 >> $ >> >> That's using an RSA host key though. It seems that the hosts I have using >> ECDSA keys (buildbot.twistedmatrix.com <http://buildbot.twistedmatrix.com/>, >> for example) still don't work with conch. Is that expected at this point? >> >> -glyph >> >>> On Dec 20, 2016, at 2:32 PM, Craig Rodrigues <rodr...@crodrigues.org >>> <mailto:rodr...@crodrigues.org>> wrote: >>> >>> On Friday, December 2, 2016, Glyph Lefkowitz <gl...@twistedmatrix.com >>> <mailto:gl...@twistedmatrix.com>> wrote: >>> I think there might be a regression in 16.6.0. >>> >>> For every version up to 16.6.0, I can do 'conch twistedmatrix.com >>> <http://twistedmatrix.com/>' in a shell and it works fine. >>> >>> I believe that I have fixed this in trunk. >>> Can you try this with conch in trunk? >>> >>> This works for me in trunk: >>> >>> 1. Start with an empty ~/.ssh/known_hosts file , or one with an ecdsa key >>> for myhost.com <http://myhost.com/> >>> 2. ssh myhost.com <http://myhost.com/> >>> 3. log out of myhost.com <http://myhost.com/> >>> 3. see that ~/.ssh/known_hosts contains an ecdsa host key for myhost.com >>> <http://myhost.com/> >>> 4. conch myhost.com <http://myhost.com/> >>> 5. successfully log into myhost.com <http://myhost.com/> with conch >>> >>> Before the latest fixes, I would get a bad host key error in step 5. >>> >>> Many thanks to the0id and acabhishek942 for providing the ecdsa fixes to >>> conch. >>> >>> -- >>> Craig >>> >>> _______________________________________________ >>> Twisted-Python mailing list >>> Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> >>> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >>> <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> >> >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> >> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> >> >> >> _______________________________________________ >> Twisted-Python mailing list >> Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> >> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python >> <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> > > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com <mailto:Twisted-Python@twistedmatrix.com> > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python > <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python> > > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
