Bug 270322

Summary: SFTP fails to verify host keys of type ECDSA
Product: [Unmaintained] kio Reporter: Massimiliano Torromeo <massimiliano.torromeo>
Component: sftpAssignee: Andreas Schneider <asn>
Status: RESOLVED UPSTREAM    
Severity: normal CC: adam, afiestas, amrecio, bernard.gray, craig.magina, dantti12, emrecio, hugo.costelha, info, info, javier, joshua, kairo, kde, lukas.schneiderbauer, madcatx, neclimdul, nico.kruber, octavsly, oss, pascal
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Massimiliano Torromeo 2011-04-07 14:49:23 UTC
Version:           4.6 (using KDE 4.6.2) 
OS:                Linux

With openssh version 5.8, ssh keys of type ECDSA have been implemented.
When I first connect to an SSH server with ECDSA public keys, this key is added to known_hosts, and consequently it must be verified in all subsequent connections.

KDE's KIO_SFTP fails to verify such keys, while the ssh command line program works perfectly.

The workaround is to add a different ssh host key to the known_hosts file. This could be achieved by making the first connection to the SSH server specifying a different host key algorithm:
$> ssh -o HostKeyAlgorithms=ssh-rsa root@host

After doing this, everything works as expected.

Reproducible: Always

Steps to Reproduce:
1. Connect for the first time to a SSH server with openssh version >= 5.8.
2. Copy a file with the sftp kio slave:
  $> kioclient copy sftp://HOST:test.txt .

Actual Results:  
Host key fails verification

Expected Results:  
The file should be copied from the remote server
Comment 1 Andreas Schneider 2011-04-08 11:10:52 UTC
Thanks for taking the time reporting a bug.

As kio_sftp is using libssh and this is not supported by libssh please report the bug upstream at http://red.libssh.org/
Comment 2 Andreas Schneider 2011-05-26 15:05:45 UTC
*** Bug 274170 has been marked as a duplicate of this bug. ***
Comment 3 Bernard Gray 2011-05-27 04:00:34 UTC
Hi - apologies for creating the duplicate, but there is an issue with your bugtracker search. 
The keywords I searched on were in a variety of combinations:
known_hosts
ecdsa
kio
sftp

All these words are contained in this report, but the search did not return this one.
Comment 4 Andreas Schneider 2011-06-13 21:38:42 UTC
ECDH support has been added to libssh. This will be available with libssh 0.6.
Comment 5 Robert Kaiser 2012-05-25 17:10:25 UTC
The problem is just that libssh 0.6 hasn't shipped yet, and given that the project hasn't been shipping anything for some time but ECDSA host keys growing more and more, this situation is quite unsatisfactory. :(
Comment 6 Andreas Schneider 2012-05-28 17:30:11 UTC
I'm just a human and my spare time is limited so I don't have the time to work on libssh right now.
Comment 7 James Gilliland 2012-06-07 02:31:11 UTC
@Andreas sorry to hear that. Balancing life and free software is a difficult task, as a fellow open source developer I can definitely sympathize.

From a pragmatic point of view, should we consider re-opening the KDE issue if upstream isn't able to make a release? Maybe there is some stop gap we could provide that could help users understand why they can't connect and how to fix it? Also, I almost don't want to say it but is there other maybe another library KDE should consider using?

It'd be nice to getting it moving toward a solution or at least provide some insight into it what's going would go a long way I think. Thanks!
Comment 8 Daniel Nicoletti 2012-07-31 03:27:43 UTC
Just a tip for users (like me) that went into this problem:
ssh-keygen -F hostname.which.fails
will give you
# Host hostname.which.fails found: line 10 type ECDSA
Open you known hosts file delete line 10, now first connect
from dolphin.
SFTP is way better than fish (which can't copy large files here)
I just hope Andreas find time to do a bug fix release soon :D
Best
Comment 9 Adam Porter 2012-09-25 21:44:55 UTC
Thank you for that, Daniel.

Should this bug really be resolved as upstream?  KDE could work around this bug in the meantime, and I wonder if it indeed should.

At the very least, the error message needs to be rewritten so that it is actually accurate and useful.  The workaround could be referenced in some way.
Comment 10 Arne K. Haaje 2012-10-12 09:25:15 UTC
Confirming the bug still exisit in KDE 4.9.2 with Kubuntu 12.04.

This is another workaround that saves you from removing the dsa key;

ssh-keyscan -t rsa host.that.fails >> .ssh/known_hosts

Conneting with SFTP KIO-slave works immediately after that
Comment 11 Andreas Schneider 2012-10-12 10:22:59 UTC
I'm working to get a new release out.

https://test.libssh.org/index.php?project=libssh

We're getting closer ...
Comment 12 Andreas Schneider 2012-11-19 09:38:19 UTC
*** Bug 310281 has been marked as a duplicate of this bug. ***
Comment 13 Alex Fiestas 2013-01-12 21:09:04 UTC
Hey Andreas, is there any commit distributions can backport to get this fixed?

Thanks.
Comment 14 Reuben 2013-02-09 13:33:18 UTC
*** This bug has been confirmed by popular vote. ***
Comment 15 Andreas Schneider 2013-02-13 15:15:21 UTC
I'm sorry you can't simply backport patches. The PKI has been completely rewritten to support ECDSA. We currently working on timeout fixes and some changes in the server part of libssh and hope to get libssh 0.6 out of the door pretty soon.

The only thing distributions could do is to package the current libssh master tree. It should be pretty stable, we've written a lot of unit tests for the stuff.
Comment 16 Vadim A. Misbakh-Soloviov (mva) 2013-03-09 15:16:49 UTC
Hi, Andreas!
I've just found this bug, while googling for that problem. As you said, I've installed current libssh's master tree snapshot and get following error in dolphin:
«
Error. Out of memory.
Could not set a timeout.
»

While I've >8G free memory (16G total), so this OOM error is definitely strange.
Comment 17 Andreas Schneider 2013-03-14 06:46:29 UTC
Vadim. Please open a new bug report and attach a log file of kio_sftp.

See http://techbase.kde.org/Development/Tutorials/Debugging/Debugging_IOSlaves/Debugging_kio_sftp
Comment 18 Andreas Schneider 2013-05-06 08:16:43 UTC
*** Bug 319117 has been marked as a duplicate of this bug. ***
Comment 19 Andreas Schneider 2013-05-29 05:58:51 UTC
*** Bug 319937 has been marked as a duplicate of this bug. ***
Comment 20 Andreas Schneider 2013-08-08 16:14:10 UTC
FYI: I've release libssh 0.6.0rc1 with ECDSA and ECDH support.

http://www.libssh.org/2013/08/07/libssh-0-6-0rc1/
Comment 21 Alex Fiestas 2013-08-08 17:17:11 UTC
Awesome! thanks for the headsup  Andreas!
Comment 22 madcatx 2013-09-20 14:13:09 UTC
I just tried to update to libssh 0.6rc1 and although there appears to be some progress I still cannot connect to my server which uses ECDSA key for verification. My key is password-protected and Dolphin prompts me for the password, but it is always evaluated is invalid (yes, I am sure that the login info is correct). I got some debug messages from Dolphin but they don't seem to be very helpful. Is there any way I can investigate this further?

---
dolphin(5920)/kurifilter (plugins) KShortUriFilter::filterUri: "sftp://prifuk@prifuk.cz"
dolphin(5920)/kurifilter KUriFilterPlugin::setFilteredUri: Got filtered to: KUrl("sftp://prifuk@prifuk.cz")
dolphin(5920)/kurifilter (plugins) KUriSearchFilter::filterUri: "sftp://prifuk@prifuk.cz"
dolphin(5920)/kfile (kdelibs) KUrlComboBox::urls: ::urls()
dolphin(5920)/kio (KDirListerCache) KDirListerCache::stopListingUrl: KFileItemModelDirLister(0x25f8b00)  url= KUrl("file:///home/madcat")
dolphin(5920)/kio (KDirListerCache) KDirListerCache::forgetDirs: KFileItemModelDirLister(0x25f8b00) item moved into cache: KUrl("file:///home/madcat")
dolphin(5920)/kio (KDirListerCache) KDirListerCache::listDir: Listing directory: KUrl("sftp://prifuk@prifuk.cz")
dolphin(5920)/kio (Scheduler) KIO::SchedulerPrivate::doJob: KIO::SimpleJob(0x3a1c460)
dolphin(5920)/kio (Scheduler) KIO::SchedulerPrivate::protoQ: creating ProtoQueue instance for "sftp"
dolphin(5920)/kio (Scheduler) KIO::ProtoQueue::ProtoQueue: m_maxConnectionsTotal: 20 m_maxConnectionsPerHost: 5
dolphin(5920)/kio (Slave) KIO::Slave::createSlave: createSlave "sftp" for KUrl("sftp://prifuk@prifuk.cz")
dolphin(5920)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on  "local:/tmp/ksocket-madcat/dolphinPR5920.slave-socket"
dolphin(5920)/kio (Scheduler) KIO::SchedulerPrivate::doJob: KIO::SimpleJob(0x29b87d0)
dolphin(5920)/kio (Slave) KIO::Slave::createSlave: createSlave "sftp" for KUrl("sftp://prifuk@prifuk.cz")
dolphin(5920)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on  "local:/tmp/ksocket-madcat/dolphinFn5920.slave-socket"
Comment 23 Andreas Schneider 2013-09-25 10:00:54 UTC
https://red.libssh.org/issues/118
Comment 24 Andreas Schneider 2013-11-01 17:56:39 UTC
Just to make it clear. The original bug report is about ECDH.


Comment #22 and comment #23 are about EDCSA private keys. These are different things.