openssh bugs - Feb 2013 - [Bug 2074] New: Host key verification incorrectly handles IPv6 addresses

https://bugzilla.mindrot.org/show_bug.cgi?id=2074

            Bug ID: 2074
           Summary: Host key verification incorrectly handles IPv6
                    addresses
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Keywords: needs-release-note
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tomaxuser at gmail.com

Host key verification does not handle different but equivalent
notations of an IPv6 address as one. This affects but may be not
limited to usage of ::.

Steps to reproduce:
1. ssh to ::1
2. confirm host key
3. cancel session
(3a. ssh to ::1 again to check that no verification is needed and host
is known)
4. ssh to ::0:1
5. host key confirmation needed
6. cancel session
7. ssh to 0:0:0:0:0:0:0:1
8. host key confirmation needed
9. cancel session

Expected result is that in steps 5 and 8 no confirmation is required
and ssh recognizes that the IP addresses are equivalent with the first
one (per http://tools.ietf.org/html/rfc5952#section-4).

Suggested solution is to canonicalize IPv6 addressees when comparing
them in host key verification.

This affects at least distribution 5.5p1 on Debian Squeeze and 6.1p1
built from source, but probably affects all OSes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2074

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2226
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2226&action=edit
canonicalise hostnames that are actually addresses

Host names passed on the commandline are treated as names first and
addresses a distant second, which is why this doesn't behave the way
you might expect. The host key lookup is incredibly fiddly, but
generally prefers that you confirm a key that you maybe have seen
before over accepting it. Furthermore, localhost is a special case
again so it isn't the best address to test with.

That being said, the attached patch will attempt to canonicalise IP
addresses that are passed on the commandline. I'm not entirely sure
that we want this, but we are probably going to do some other sort of
canonicalisation sooner or later anyway so it might be worthwhile then
- I don't intend on committing it as-is.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2074

--- Comment #2 from Tomas Szaniszlo <tomaxuser at gmail.com> ---
Sorry for the later response.

Regarding those localhost addresses, it was only an unfortunate
obfuscation; I tested it with real 2001:: addresses.

Regarding the patch, I wanted to try it out but after inspection of
sources for BSD tarball and Linux nightly snapshot, I couldn't find out
to which sources should I apply that patch.

Maybe a question - could there be any disadvantages of doing this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2074

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2226|0                           |1
        is obsolete|                            |
                 CC|                            |djm at mindrot.org

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Created attachment 2453
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2453&action=edit
Canonicalise addresses when CanonicaliseHostnames enabled

This puts the address canonicalisation inside the recently-added
hostname canonicalisation code.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2074

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
             Blocks|                            |2266
         Resolution|---                         |FIXED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
this was fixed in openssh-6.8

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2074

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.