[needs-packaging] libssh needs to be updated in order for kio-sftp to support ECDSA

Version: 4.6 (using KDE 4.6.2)
OS: Linux

With openssh version 5.8, ssh keys of type ECDSA have been implemented.
When I first connect to an SSH server with ECDSA public keys, this key is added to known_hosts, and consequently it must be verified in all subsequent connections.

KDE's KIO_SFTP fails to verify such keys, while the ssh command line program works perfectly.

The workaround is to add a different ssh host key to the known_hosts file. This could be achieved by making the first connection to the SSH server specifying a different host key algorithm:
$> ssh -o HostKeyAlgorithms=ssh-rsa root@host

After doing this, everything works as expected.

Reproducible: Always

Steps to Reproduce:
1. Connect for the first time to a SSH server with openssh version >= 5.8.
2. Copy a file with the sftp kio slave:
  $> kioclient copy sftp://HOST:test.txt .

Actual Results:
Host key fails verification

Expected Results:
The file should be copied from the remote server

Thanks for taking the time reporting a bug.

As kio_sftp is using libssh and this is not supported by libssh please report the bug upstream at http://red.libssh.org/

*** Bug 274170 has been marked as a duplicate of this bug. ***

Hi - apologies for creating the duplicate, but there is an issue with your bugtracker search.
The keywords I searched on were in a variety of combinations:
known_hosts
ecdsa
kio
sftp

All these words are contained in this report, but the search did not return this one.

ECDH support has been added to libssh. This will be available with libssh 0.6.

The problem is just that libssh 0.6 hasn't shipped yet, and given that the project hasn't been shipping anything for some time but ECDSA host keys growing more and more, this situation is quite unsatisfactory. :(

I'm just a human and my spare time is limited so I don't have the time to work on libssh right now.

@Andreas sorry to hear that. Balancing life and free software is a difficult task, as a fellow open source developer I can definitely sympathize.

From a pragmatic point of view, should we consider re-opening the KDE issue if upstream isn't able to make a release? Maybe there is some stop gap we could provide that could help users understand why they can't connect and how to fix it? Also, I almost don't want to say it but is there other maybe another library KDE should consider using?

It'd be nice to getting it moving toward a solution or at least provide some insight into it what's going would go a long way I think. Thanks!

Just a tip for users (like me) that went into this problem:
ssh-keygen -F hostname.which.fails
will give you
# Host hostname.which.fails found: line 10 type ECDSA
Open you known hosts file delete line 10, now first connect
from dolphin.
SFTP is way better than fish (which can't copy large files here)
I just hope Andreas find time to do a bug fix release soon :D
Best

Thank you for that, Daniel.

Should this bug really be resolved as upstream? KDE could work around this bug in the meantime, and I wonder if it indeed should.

At the very least, the error message needs to be rewritten so that it is actually accurate and useful. The workaround could be referenced in some way.

Confirming the bug still exisit in KDE 4.9.2 with Kubuntu 12.04.

This is another workaround that saves you from removing the dsa key;

ssh-keyscan -t rsa host.that.fails >> .ssh/known_hosts

Conneting with SFTP KIO-slave works immediately after that

I'm working to get a new release out.

https://test.libssh.org/index.php?project=libssh

We're getting closer ...

*** Bug 310281 has been marked as a duplicate of this bug. ***

Hey Andreas, is there any commit distributions can backport to get this fixed?

Thanks.

*** This bug has been confirmed by popular vote. ***

I'm sorry you can't simply backport patches. The PKI has been completely rewritten to support ECDSA. We currently working on timeout fixes and some changes in the server part of libssh and hope to get libssh 0.6 out of the door pretty soon.

The only thing distributions could do is to package the current libssh master tree. It should be pretty stable, we've written a lot of unit tests for the stuff.

Hi, Andreas!
I've just found this bug, while googling for that problem. As you said, I've installed current libssh's master tree snapshot and get following error in dolphin:
«
Error. Out of memory.
Could not set a timeout.
»

While I've >8G free memory (16G total), so this OOM error is definitely strange.

Vadim. Please open a new bug report and attach a log file of kio_sftp.

See http://techbase.kde.org/Development/Tutorials/Debugging/Debugging_IOSlaves/Debugging_kio_sftp

*** Bug 319117 has been marked as a duplicate of this bug. ***

*** Bug 319937 has been marked as a duplicate of this bug. ***

FYI: I've release libssh 0.6.0rc1 with ECDSA and ECDH support.

http://www.libssh.org/2013/08/07/libssh-0-6-0rc1/

Awesome! thanks for the headsup Andreas!

I just tried to update to libssh 0.6rc1 and although there appears to be some progress I still cannot connect to my server which uses ECDSA key for verification. My key is password-protected and Dolphin prompts me for the password, but it is always evaluated is invalid (yes, I am sure that the login info is correct). I got some debug messages from Dolphin but they don't seem to be very helpful. Is there any way I can investigate this further?

---
dolphin(5920)/kurifilter (plugins) KShortUriFilter::filterUri: "sftp://<email address hidden>"
dolphin(5920)/kurifilter KUriFilterPlugin::setFilteredUri: Got filtered to: KUrl("sftp://<email address hidden>")
dolphin(5920)/kurifilter (plugins) KUriSearchFilter::filterUri: "sftp://<email address hidden>"
dolphin(5920)/kfile (kdelibs) KUrlComboBox::urls: ::urls()
dolphin(5920)/kio (KDirListerCache) KDirListerCache::stopListingUrl: KFileItemModelDirLister(0x25f8b00) url= KUrl("file:///home/madcat")
dolphin(5920)/kio (KDirListerCache) KDirListerCache::forgetDirs: KFileItemModelDirLister(0x25f8b00) item moved into cache: KUrl("file:///home/madcat")
dolphin(5920)/kio (KDirListerCache) KDirListerCache::listDir: Listing directory: KUrl("sftp://<email address hidden>")
dolphin(5920)/kio (Scheduler) KIO::SchedulerPrivate::doJob: KIO::SimpleJob(0x3a1c460)
dolphin(5920)/kio (Scheduler) KIO::SchedulerPrivate::protoQ: creating ProtoQueue instance for "sftp"
dolphin(5920)/kio (Scheduler) KIO::ProtoQueue::ProtoQueue: m_maxConnectionsTotal: 20 m_maxConnectionsPerHost: 5
dolphin(5920)/kio (Slave) KIO::Slave::createSlave: createSlave "sftp" for KUrl("sftp://<email address hidden>")
dolphin(5920)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on "local:/tmp/ksocket-madcat/dolphinPR5920.slave-socket"
dolphin(5920)/kio (Scheduler) KIO::SchedulerPrivate::doJob: KIO::SimpleJob(0x29b87d0)
dolphin(5920)/kio (Slave) KIO::Slave::createSlave: createSlave "sftp" for KUrl("sftp://<email address hidden>")
dolphin(5920)/kio (KIOConnection) KIO::ConnectionServer::listenForRemote: Listening on "local:/tmp/ksocket-madcat/dolphinFn5920.slave-socket"

https://red.libssh.org/issues/118

Just to make it clear. The original bug report is about ECDH.

Comment #22 and comment #23 are about EDCSA private keys. These are different things.