Curl failed to read known_hosts file

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
4
down vote

favorite












I'm trying to download a file from a Centos 6 server using another Centos 6 server as client and curl with the scp protocol and I'm getting this error output:



$ curl -v -O scp://cz/path/to/file
* About to connect() to cz port 22 (#0)
* Trying 1.2.3.4... connected
* Connected to cz (1.2.3.4) port 22 (#0)
* Failed to read known hosts from /home/cpn/.ssh/known_hosts
* SSH host check: 0, key: AAAAB3NzaC1yc2EAAAABIwAAAQEAyeeDgYFsHi3Ks3PxCXt69IHBr7yNII720sXOm9WKIdGnwPf7QHbLsMf41mctcGRSJ2yO2EXpNEbZQhdUqs3oImdTn2OHF/K8STK1GXMVseusgmPuQWBt36AVPon7h9lSCjtxt+1UpFJoireXvhUDlgg9i1C9QbE04GAmA7vMOmtcVt3/3F6X/hKhOZvHj1gu5+RzCO8fXo2R8XeRoN0GcU2jVOhug0G+hXAiHymh5JzVm4YlCzsNIv3mDOF2lZRLdkor5FDKjBY8/o/5O8U0lWm4ie2S7qDppqCJP2SnNTWlaM3k5HDmdyEKKZ0lV+qG33q3ADZxjBeIKQtWLZfC3w==
* SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
* Using ssh public key file /home/cpn/.ssh/id_dsa.pub
* Using ssh private key file /home/cpn/.ssh/id_dsa
* SSH public key authentication failed: Username/PublicKey combination invalid
* Authentication failure
* Closing connection #0


I can download the file using scp no questions asked:



$ scp cz:/path/to/file .


I can log in to the server with ssh again no questions asked



$ ssh cz


There are both ssh-rsa and ssh-dss keys at the server's authorized_keys file



What is exactly curl complaining about? My only guess is that curl wants a dsa key in the client's known_hosts file. If that is the case how to generate it? Or how to make curl look for the rsa key instead in that file?



Update



At the client:



$ ls -l /home/cpn/.ssh/known_hosts
-rw-r--r--. 1 cpn cpn 1970 Nov 12 16:12 /home/cpn/.ssh/known_hosts









share|improve this question























  • Can you post the output of ls -l /home/cpn/.ssh/known_hosts on the machine hosting this very file?
    – John WH Smith
    Nov 12 '14 at 18:37










  • @John Edited with the command output
    – Clodoaldo
    Nov 12 '14 at 18:49










  • Do you expect curl to prompt for an SSH/SCP password, or did you configure your RSA key for this remote host? It seems like curl is trying to perform publickey (passwordless) authentication here.
    – John WH Smith
    Nov 12 '14 at 18:51











  • @John I can do scp copy and ssh login using publickey for the remote host. So I expect curl to use publickey.
    – Clodoaldo
    Nov 12 '14 at 19:53














up vote
4
down vote

favorite












I'm trying to download a file from a Centos 6 server using another Centos 6 server as client and curl with the scp protocol and I'm getting this error output:



$ curl -v -O scp://cz/path/to/file
* About to connect() to cz port 22 (#0)
* Trying 1.2.3.4... connected
* Connected to cz (1.2.3.4) port 22 (#0)
* Failed to read known hosts from /home/cpn/.ssh/known_hosts
* SSH host check: 0, key: AAAAB3NzaC1yc2EAAAABIwAAAQEAyeeDgYFsHi3Ks3PxCXt69IHBr7yNII720sXOm9WKIdGnwPf7QHbLsMf41mctcGRSJ2yO2EXpNEbZQhdUqs3oImdTn2OHF/K8STK1GXMVseusgmPuQWBt36AVPon7h9lSCjtxt+1UpFJoireXvhUDlgg9i1C9QbE04GAmA7vMOmtcVt3/3F6X/hKhOZvHj1gu5+RzCO8fXo2R8XeRoN0GcU2jVOhug0G+hXAiHymh5JzVm4YlCzsNIv3mDOF2lZRLdkor5FDKjBY8/o/5O8U0lWm4ie2S7qDppqCJP2SnNTWlaM3k5HDmdyEKKZ0lV+qG33q3ADZxjBeIKQtWLZfC3w==
* SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
* Using ssh public key file /home/cpn/.ssh/id_dsa.pub
* Using ssh private key file /home/cpn/.ssh/id_dsa
* SSH public key authentication failed: Username/PublicKey combination invalid
* Authentication failure
* Closing connection #0


I can download the file using scp no questions asked:



$ scp cz:/path/to/file .


I can log in to the server with ssh again no questions asked



$ ssh cz


There are both ssh-rsa and ssh-dss keys at the server's authorized_keys file



What is exactly curl complaining about? My only guess is that curl wants a dsa key in the client's known_hosts file. If that is the case how to generate it? Or how to make curl look for the rsa key instead in that file?



Update



At the client:



$ ls -l /home/cpn/.ssh/known_hosts
-rw-r--r--. 1 cpn cpn 1970 Nov 12 16:12 /home/cpn/.ssh/known_hosts









share|improve this question























  • Can you post the output of ls -l /home/cpn/.ssh/known_hosts on the machine hosting this very file?
    – John WH Smith
    Nov 12 '14 at 18:37










  • @John Edited with the command output
    – Clodoaldo
    Nov 12 '14 at 18:49










  • Do you expect curl to prompt for an SSH/SCP password, or did you configure your RSA key for this remote host? It seems like curl is trying to perform publickey (passwordless) authentication here.
    – John WH Smith
    Nov 12 '14 at 18:51











  • @John I can do scp copy and ssh login using publickey for the remote host. So I expect curl to use publickey.
    – Clodoaldo
    Nov 12 '14 at 19:53












up vote
4
down vote

favorite









up vote
4
down vote

favorite











I'm trying to download a file from a Centos 6 server using another Centos 6 server as client and curl with the scp protocol and I'm getting this error output:



$ curl -v -O scp://cz/path/to/file
* About to connect() to cz port 22 (#0)
* Trying 1.2.3.4... connected
* Connected to cz (1.2.3.4) port 22 (#0)
* Failed to read known hosts from /home/cpn/.ssh/known_hosts
* SSH host check: 0, key: AAAAB3NzaC1yc2EAAAABIwAAAQEAyeeDgYFsHi3Ks3PxCXt69IHBr7yNII720sXOm9WKIdGnwPf7QHbLsMf41mctcGRSJ2yO2EXpNEbZQhdUqs3oImdTn2OHF/K8STK1GXMVseusgmPuQWBt36AVPon7h9lSCjtxt+1UpFJoireXvhUDlgg9i1C9QbE04GAmA7vMOmtcVt3/3F6X/hKhOZvHj1gu5+RzCO8fXo2R8XeRoN0GcU2jVOhug0G+hXAiHymh5JzVm4YlCzsNIv3mDOF2lZRLdkor5FDKjBY8/o/5O8U0lWm4ie2S7qDppqCJP2SnNTWlaM3k5HDmdyEKKZ0lV+qG33q3ADZxjBeIKQtWLZfC3w==
* SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
* Using ssh public key file /home/cpn/.ssh/id_dsa.pub
* Using ssh private key file /home/cpn/.ssh/id_dsa
* SSH public key authentication failed: Username/PublicKey combination invalid
* Authentication failure
* Closing connection #0


I can download the file using scp no questions asked:



$ scp cz:/path/to/file .


I can log in to the server with ssh again no questions asked



$ ssh cz


There are both ssh-rsa and ssh-dss keys at the server's authorized_keys file



What is exactly curl complaining about? My only guess is that curl wants a dsa key in the client's known_hosts file. If that is the case how to generate it? Or how to make curl look for the rsa key instead in that file?



Update



At the client:



$ ls -l /home/cpn/.ssh/known_hosts
-rw-r--r--. 1 cpn cpn 1970 Nov 12 16:12 /home/cpn/.ssh/known_hosts









share|improve this question















I'm trying to download a file from a Centos 6 server using another Centos 6 server as client and curl with the scp protocol and I'm getting this error output:



$ curl -v -O scp://cz/path/to/file
* About to connect() to cz port 22 (#0)
* Trying 1.2.3.4... connected
* Connected to cz (1.2.3.4) port 22 (#0)
* Failed to read known hosts from /home/cpn/.ssh/known_hosts
* SSH host check: 0, key: AAAAB3NzaC1yc2EAAAABIwAAAQEAyeeDgYFsHi3Ks3PxCXt69IHBr7yNII720sXOm9WKIdGnwPf7QHbLsMf41mctcGRSJ2yO2EXpNEbZQhdUqs3oImdTn2OHF/K8STK1GXMVseusgmPuQWBt36AVPon7h9lSCjtxt+1UpFJoireXvhUDlgg9i1C9QbE04GAmA7vMOmtcVt3/3F6X/hKhOZvHj1gu5+RzCO8fXo2R8XeRoN0GcU2jVOhug0G+hXAiHymh5JzVm4YlCzsNIv3mDOF2lZRLdkor5FDKjBY8/o/5O8U0lWm4ie2S7qDppqCJP2SnNTWlaM3k5HDmdyEKKZ0lV+qG33q3ADZxjBeIKQtWLZfC3w==
* SSH authentication methods available: publickey,gssapi-keyex,gssapi-with-mic,password
* Using ssh public key file /home/cpn/.ssh/id_dsa.pub
* Using ssh private key file /home/cpn/.ssh/id_dsa
* SSH public key authentication failed: Username/PublicKey combination invalid
* Authentication failure
* Closing connection #0


I can download the file using scp no questions asked:



$ scp cz:/path/to/file .


I can log in to the server with ssh again no questions asked



$ ssh cz


There are both ssh-rsa and ssh-dss keys at the server's authorized_keys file



What is exactly curl complaining about? My only guess is that curl wants a dsa key in the client's known_hosts file. If that is the case how to generate it? Or how to make curl look for the rsa key instead in that file?



Update



At the client:



$ ls -l /home/cpn/.ssh/known_hosts
-rw-r--r--. 1 cpn cpn 1970 Nov 12 16:12 /home/cpn/.ssh/known_hosts






centos scp curl






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 '14 at 10:15

























asked Nov 12 '14 at 16:44









Clodoaldo

234314




234314











  • Can you post the output of ls -l /home/cpn/.ssh/known_hosts on the machine hosting this very file?
    – John WH Smith
    Nov 12 '14 at 18:37










  • @John Edited with the command output
    – Clodoaldo
    Nov 12 '14 at 18:49










  • Do you expect curl to prompt for an SSH/SCP password, or did you configure your RSA key for this remote host? It seems like curl is trying to perform publickey (passwordless) authentication here.
    – John WH Smith
    Nov 12 '14 at 18:51











  • @John I can do scp copy and ssh login using publickey for the remote host. So I expect curl to use publickey.
    – Clodoaldo
    Nov 12 '14 at 19:53
















  • Can you post the output of ls -l /home/cpn/.ssh/known_hosts on the machine hosting this very file?
    – John WH Smith
    Nov 12 '14 at 18:37










  • @John Edited with the command output
    – Clodoaldo
    Nov 12 '14 at 18:49










  • Do you expect curl to prompt for an SSH/SCP password, or did you configure your RSA key for this remote host? It seems like curl is trying to perform publickey (passwordless) authentication here.
    – John WH Smith
    Nov 12 '14 at 18:51











  • @John I can do scp copy and ssh login using publickey for the remote host. So I expect curl to use publickey.
    – Clodoaldo
    Nov 12 '14 at 19:53















Can you post the output of ls -l /home/cpn/.ssh/known_hosts on the machine hosting this very file?
– John WH Smith
Nov 12 '14 at 18:37




Can you post the output of ls -l /home/cpn/.ssh/known_hosts on the machine hosting this very file?
– John WH Smith
Nov 12 '14 at 18:37












@John Edited with the command output
– Clodoaldo
Nov 12 '14 at 18:49




@John Edited with the command output
– Clodoaldo
Nov 12 '14 at 18:49












Do you expect curl to prompt for an SSH/SCP password, or did you configure your RSA key for this remote host? It seems like curl is trying to perform publickey (passwordless) authentication here.
– John WH Smith
Nov 12 '14 at 18:51





Do you expect curl to prompt for an SSH/SCP password, or did you configure your RSA key for this remote host? It seems like curl is trying to perform publickey (passwordless) authentication here.
– John WH Smith
Nov 12 '14 at 18:51













@John I can do scp copy and ssh login using publickey for the remote host. So I expect curl to use publickey.
– Clodoaldo
Nov 12 '14 at 19:53




@John I can do scp copy and ssh login using publickey for the remote host. So I expect curl to use publickey.
– Clodoaldo
Nov 12 '14 at 19:53










2 Answers
2






active

oldest

votes

















up vote
2
down vote













I can at least explain what's probably going on: the . after the permissions in the output of ls -l indicates the presence of an SELinux policy, which overrides file permissions based on which program is accessing the file. Use ls -Z ~/.ssh/known_hosts to display the file's policy.



Presumably /usr/bin/ssh and its companion programs (ssh-keygen, scp, etc.) are the only programs who are allowed to access that file. I'm skeptical about this policy: it is useful to edit ~/.ssh/known_hosts manually sometimes. However I don't understand why curl would want to read that file instead of letting ssh and friends do it.



You can use the chcon command to edit the policy for that file, and restorecon to restore the default policy. See the CentOS wiki for more information about SELinux.






share|improve this answer




















  • +1 I did setenforce 0 but still the same error message.
    – Clodoaldo
    Nov 13 '14 at 9:58


















up vote
0
down vote













For people who find this page via google:



It looks like old versions of cURL choke on known_hosts files with unrecognized keytypes, and sufficiently old versions of cURL don't recognize any keytype but ssh-rsa.



For example, my cURL is version 7.29.0 (6 years old, and the latest available in CentOS 7 as of this writing), and will cease reading keys after the first ecdsa-sha2-nistp256, which is the majority of the keys in my known_hosts file.






share|improve this answer










New contributor




tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f167599%2fcurl-failed-to-read-known-hosts-file%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote













    I can at least explain what's probably going on: the . after the permissions in the output of ls -l indicates the presence of an SELinux policy, which overrides file permissions based on which program is accessing the file. Use ls -Z ~/.ssh/known_hosts to display the file's policy.



    Presumably /usr/bin/ssh and its companion programs (ssh-keygen, scp, etc.) are the only programs who are allowed to access that file. I'm skeptical about this policy: it is useful to edit ~/.ssh/known_hosts manually sometimes. However I don't understand why curl would want to read that file instead of letting ssh and friends do it.



    You can use the chcon command to edit the policy for that file, and restorecon to restore the default policy. See the CentOS wiki for more information about SELinux.






    share|improve this answer




















    • +1 I did setenforce 0 but still the same error message.
      – Clodoaldo
      Nov 13 '14 at 9:58















    up vote
    2
    down vote













    I can at least explain what's probably going on: the . after the permissions in the output of ls -l indicates the presence of an SELinux policy, which overrides file permissions based on which program is accessing the file. Use ls -Z ~/.ssh/known_hosts to display the file's policy.



    Presumably /usr/bin/ssh and its companion programs (ssh-keygen, scp, etc.) are the only programs who are allowed to access that file. I'm skeptical about this policy: it is useful to edit ~/.ssh/known_hosts manually sometimes. However I don't understand why curl would want to read that file instead of letting ssh and friends do it.



    You can use the chcon command to edit the policy for that file, and restorecon to restore the default policy. See the CentOS wiki for more information about SELinux.






    share|improve this answer




















    • +1 I did setenforce 0 but still the same error message.
      – Clodoaldo
      Nov 13 '14 at 9:58













    up vote
    2
    down vote










    up vote
    2
    down vote









    I can at least explain what's probably going on: the . after the permissions in the output of ls -l indicates the presence of an SELinux policy, which overrides file permissions based on which program is accessing the file. Use ls -Z ~/.ssh/known_hosts to display the file's policy.



    Presumably /usr/bin/ssh and its companion programs (ssh-keygen, scp, etc.) are the only programs who are allowed to access that file. I'm skeptical about this policy: it is useful to edit ~/.ssh/known_hosts manually sometimes. However I don't understand why curl would want to read that file instead of letting ssh and friends do it.



    You can use the chcon command to edit the policy for that file, and restorecon to restore the default policy. See the CentOS wiki for more information about SELinux.






    share|improve this answer












    I can at least explain what's probably going on: the . after the permissions in the output of ls -l indicates the presence of an SELinux policy, which overrides file permissions based on which program is accessing the file. Use ls -Z ~/.ssh/known_hosts to display the file's policy.



    Presumably /usr/bin/ssh and its companion programs (ssh-keygen, scp, etc.) are the only programs who are allowed to access that file. I'm skeptical about this policy: it is useful to edit ~/.ssh/known_hosts manually sometimes. However I don't understand why curl would want to read that file instead of letting ssh and friends do it.



    You can use the chcon command to edit the policy for that file, and restorecon to restore the default policy. See the CentOS wiki for more information about SELinux.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 13 '14 at 1:46









    Gilles

    518k12410321562




    518k12410321562











    • +1 I did setenforce 0 but still the same error message.
      – Clodoaldo
      Nov 13 '14 at 9:58

















    • +1 I did setenforce 0 but still the same error message.
      – Clodoaldo
      Nov 13 '14 at 9:58
















    +1 I did setenforce 0 but still the same error message.
    – Clodoaldo
    Nov 13 '14 at 9:58





    +1 I did setenforce 0 but still the same error message.
    – Clodoaldo
    Nov 13 '14 at 9:58













    up vote
    0
    down vote













    For people who find this page via google:



    It looks like old versions of cURL choke on known_hosts files with unrecognized keytypes, and sufficiently old versions of cURL don't recognize any keytype but ssh-rsa.



    For example, my cURL is version 7.29.0 (6 years old, and the latest available in CentOS 7 as of this writing), and will cease reading keys after the first ecdsa-sha2-nistp256, which is the majority of the keys in my known_hosts file.






    share|improve this answer










    New contributor




    tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      0
      down vote













      For people who find this page via google:



      It looks like old versions of cURL choke on known_hosts files with unrecognized keytypes, and sufficiently old versions of cURL don't recognize any keytype but ssh-rsa.



      For example, my cURL is version 7.29.0 (6 years old, and the latest available in CentOS 7 as of this writing), and will cease reading keys after the first ecdsa-sha2-nistp256, which is the majority of the keys in my known_hosts file.






      share|improve this answer










      New contributor




      tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.



















        up vote
        0
        down vote










        up vote
        0
        down vote









        For people who find this page via google:



        It looks like old versions of cURL choke on known_hosts files with unrecognized keytypes, and sufficiently old versions of cURL don't recognize any keytype but ssh-rsa.



        For example, my cURL is version 7.29.0 (6 years old, and the latest available in CentOS 7 as of this writing), and will cease reading keys after the first ecdsa-sha2-nistp256, which is the majority of the keys in my known_hosts file.






        share|improve this answer










        New contributor




        tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        For people who find this page via google:



        It looks like old versions of cURL choke on known_hosts files with unrecognized keytypes, and sufficiently old versions of cURL don't recognize any keytype but ssh-rsa.



        For example, my cURL is version 7.29.0 (6 years old, and the latest available in CentOS 7 as of this writing), and will cease reading keys after the first ecdsa-sha2-nistp256, which is the majority of the keys in my known_hosts file.







        share|improve this answer










        New contributor




        tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer








        edited 3 mins ago





















        New contributor




        tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 10 mins ago









        tboz203

        12




        12




        New contributor




        tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        tboz203 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f167599%2fcurl-failed-to-read-known-hosts-file%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?