NppFTP is receiving ecdsa-sha2-nistp256 host key (instead of ssh-rsa?)

ashkulz / NppFTP

Plugin for Notepad++ allowing FTP, FTPS, FTPES and SFTP communications

https://ashkulz.github.io/NppFTP/

322 stars 93 forks source link

NppFTP is receiving ecdsa-sha2-nistp256 host key (instead of ssh-rsa?) #54

Open METACEO opened 9 years ago

METACEO commented 9 years ago

Both PuTTY and WinSCP are receiving the correct ssh-rsa key from the server, while NppFTP is not.

fingerprintmismatch

If I accept the host key then this is saved to my known_hosts file: 10.0.0.37 ecdsa-sha2-nistp256 AAAAE2VjZHNh...

These are the versions I am using: Notepad++ 6.8.1 NppFTP 0.26.3 Unicode zlib 1.2.8 libssh 0.6.5 OpenSSL 1.0.2a 19 Mar 2015

Is there some configuration value that can modified to retrieve ssh-rsa keys?.. or is this outside the NppFTP options?

METACEO commented 9 years ago

Copying the public key from my server and manually replacing the line in my known_hosts file from 10.0.0.37 ecdsa-sha2-nistp256 AAAAE2VjZHNh... to 10.0.0.37 ssh-rsa AAAAB3NzaC1y... I am now no longer being prompted like in my originally attached image and I am connecting fine.

Would it be possible to select the type of host key NppFTP should use, if there is an available selection?.. or would it be possible to alert the user as to what key the fingerprint is generating from?

ashkulz commented 9 years ago

Can you see if using the latest version (from here) helps?

rauwitt commented 8 years ago

As far as I tested this useful feature wasn't added yet in the latest version 0.26.5. It would be an enhancement for this plugin and for Notepad++ if this selection of a host key could be made.

llowrey commented 7 years ago

This is not a bug, imo. The host sends a number of host keys, one for each (configured) key algorithm. The order of preference is ssh-ed25519, ecdsa-sha2-nistp256 , rsa-sha2-256, rsa-sha2-512, ssh-rsa, and for older implementations ssh-dsa.

The two Elliptic Curve algorithms (ed25519 and ecdsa) are considered more secure and are definitely more efficient than rsa.

It would be odd to force the ssh client to prefer a less preferred algorithm but it is definitely possible to do with libssh.

METACEO commented 7 years ago

@llowrey - I'm not disputing the encryption strength. If there is a bug to be corrected, it is to tell the user it is fingerprinting the ecdsa-sha2-nistp256 key and not the ssh-rsa key.

In my original image, you'll see the PuTTY and WinSCP prompts and that both specify the fingerprints are from the ssh-rsa key - it will throw users off if they're given a fingerprint and are not told which key it is coming from, as NppFTP was doing (and may still be?)

chcg commented 7 years ago

Relevant code therefore:

https://github.com/ashkulz/NppFTP/blob/master/src/FTPClientWrapperSSH.cpp#L676

SSH_OPTIONS_HOSTKEYS: Set the preferred server host key types (const char *, comma-separated list). ex: "ssh-rsa,ssh-dss,ecdh-sha2-nistp256"

See http://api.libssh.org/master/keys_8h_source.html guess ssh_type_to_char() should provide a string about the key type.

chcg commented 7 years ago

@METACEO Please retest with v0.27.0 (https://github.com/ashkulz/NppFTP/releases/tag/v0.27.0). The host key type should now be printed out also, see #154.

chcg commented 5 years ago

@METACEO You may want to test current release https://github.com/ashkulz/NppFTP/releases/tag/v0.28.0 which contains updated libssh version 0.8.6 with support for additional algorithms.