Mailing List Archive

ssh: case insensitive fingerprint validation
Hello!

I noticed the ssh client now allows you to paste a fingerprint at the
host key verification question which I thought was pretty cool and a
welcome feature.

When testing it out I discovered it did not care about the case of the
entered hash, and looking at sshconnect.c I see strcasecmp() is
used which explains why.

I'm just curious if this was a deliberate decision or if it would make
sense to actually care about the case since the base64 encoded sha256
fingerprints contains a mix of upper and lower case characters.

Regards,
Patrik Lundin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh: case insensitive fingerprint validation [ In reply to ]
On Tue, 8 Sep 2020, Patrik Lundin wrote:

> I'm just curious if this was a deliberate decision or if it would make
> sense to actually care about the case since the base64 encoded sha256
> fingerprints contains a mix of upper and lower case characters.

Probably a leftover from the MD5 fingerprints, which are hex.
I guess the code should check which kind of fingerprint it is
first then compare based on that.

bye,
//mirabilos
--
«MyISAM tables -will- get corrupted eventually. This is a fact of life. »
“mysql is about as much database as ms access” – “MSSQL at least descends
from a database” “it's a rebranded SyBase” “MySQL however was born from a
flatfile and went downhill from there” – “at least jetDB doesn’t claim to
be a database” (#nosec) ??? Please let MySQL and MariaDB finally die!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh: case insensitive fingerprint validation [ In reply to ]
On Tue, 8 Sep 2020, Patrik Lundin wrote:

> Hello!
>
> I noticed the ssh client now allows you to paste a fingerprint at the
> host key verification question which I thought was pretty cool and a
> welcome feature.
>
> When testing it out I discovered it did not care about the case of the
> entered hash, and looking at sshconnect.c I see strcasecmp() is
> used which explains why.
>
> I'm just curious if this was a deliberate decision or if it would make
> sense to actually care about the case since the base64 encoded sha256
> fingerprints contains a mix of upper and lower case characters.

Yes, it should be case sensitive. I have committed a fix that will
be in OpenSSH 8.4.

Thanks,
Damien
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh: case insensitive fingerprint validation [ In reply to ]
On Thu, Sep 10, 2020 at 07:58:16AM +1000, Damien Miller wrote:
>
> Yes, it should be case sensitive. I have committed a fix that will
> be in OpenSSH 8.4.
>

Awesome, thanks!

Regards,
Patrik Lundin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev