bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-17 20:41 UTC
[Bug 2591] New: ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 Bug ID: 2591 Summary: ssh-keygen -R is case-sensitive, but should not be Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: ssh-keygen Assignee: unassigned-bugs at mindrot.org Reporter: griff.miller at oplink.net Hostnames and domains are case-insensitive, but ssh-keygen -R is not honoring this. With openssh-7.2p2 Cygwin/Windows 7 (I've also seen the same behavior on RHEL/CentOS with 5.3p1 and 6.6.1p1): % grep -i myhost ~/.ssh/known_hosts # to show myhost is not there yet % ssh gmiller at Myhost.domain.com date # this will put myhost there if I say "yes", which I will do. Note mixed case. The authenticity of host 'myhost.domain.com (1.2.3.4)' can't be established. RSA key fingerprint is SHA256:kr1BeHAQgtdws3gB1NPpKtVDm9OPJ8Gg1loyiDC1z8Y. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'myhost.domain.com,1.2.3.4' (RSA) to the list of known hosts. Fri Apr 15 15:19:54 EDT 2016 % grep -i myhost ~/.ssh/known_hosts # to show that myhost is now in known_hosts - note it has been smashed to lowercase, which is okay. myhost.domain.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k% ssh-keygen -R Myhost.domain.com # now try to remove it. Case should not matter here. Host Myhost.domain.com not found in /home/millerig/.ssh/known_hosts % grep -i myhost ~/.ssh/known_hosts # ...but it does. Show that it is still there. myhost.domain.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k% ssh-keygen -R myhost.domain.com # this time it will work because we made sure to use lower case. # Host myhost.domain.com found: line 14 /home/millerig/.ssh/known_hosts updated. Original contents retained as /home/millerig/.ssh/known_hosts.old % grep -i myhost ~/.ssh/known_hosts # show that it's gone % Seems like ssh-keygen -R is performing a case-sensitive string compare on the provided hostname and the hostnames in the known_hosts file. It should be a case-insensitive compare. I can fix my scripts so that I convert to lowercase before calling ssh-keygen -R, but it would be nice if this could be fixed so that others don't get caught by surprise. P.S. The same issue exists for the domain portion of the fully-qualified hostname. P.P.S. I will upload a patch that I did, with input from ?ngel Gonz?lez. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jun-17 20:48 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 --- Comment #1 from Griff Miller II <griff.miller at oplink.net> --- Created attachment 2841 --> https://bugzilla.mindrot.org/attachment.cgi?id=2841&action=edit Proposed patch for ssh-keygen -R case sensitivity bug ?ngel Gonz?lez helped develop this patch. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-08 03:31 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 2847 --> https://bugzilla.mindrot.org/attachment.cgi?id=2847&action=edit lowercase filenames as they are added I'm wary of changing the semantics for matching, since it's very likely that users are inadvertently depending on this - it has been this way for ~20 years. I think it would be safer if we lowercase hostnames *as they are added*. This avoids changing semantics for existing hosts but lets new ones be stored in the canonical format. Does this solve the problem for you? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-10 16:34 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 --- Comment #3 from Griff Miller II <griff.miller at oplink.net> --- Hi, Damien. I guess I can't think of any way a user would depend on "ssh-keygen -R Myhost" not to remove while depending on "ssh-keygen -R myhost" to remove, unless they were doing something insane like trying to use the success or failure of the removal as a means to determine if they had uppercase letters in their indicated hostname. :) The two commands mean exactly the same thing, and should produce the same result. By the way, the hostnames are already being lowercased when they are added to known_hosts. So thanks, but no, it does not solve the problem for me. While it's unlikely that a user would interactively type "ssh-keygen -R THEHOST" they do have to know enough inside baseball to code "ssh-keygen -R ${thehost,,}" (bash example) in scripts instead of "ssh-keygen -R $thehost" . -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-10 03:49 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2847|0 |1 is obsolete| | CC| |dtucker at zip.com.au Status|NEW |ASSIGNED Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org Attachment #2959| |ok?(dtucker at zip.com.au) Flags| | --- Comment #4 from Damien Miller <djm at mindrot.org> --- Created attachment 2959 --> https://bugzilla.mindrot.org/attachment.cgi?id=2959&action=edit A couple more cases always lowercase hostnames before hashing them or adding them unhashed to known_hosts -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-10 04:02 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2959|ok?(dtucker at zip.com.au) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-10 04:26 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Blocks| |2647 Status|ASSIGNED |RESOLVED --- Comment #5 from Damien Miller <djm at mindrot.org> --- Patch applied. This will be in OpenSSH 7.5 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 02:26 UTC
[Bug 2591] ssh-keygen -R is case-sensitive, but should not be
https://bugzilla.mindrot.org/show_bug.cgi?id=2591 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after release of OpenSSH 7.7. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.