Hello! I noticed the ssh client now allows you to paste a fingerprint at the host key verification question which I thought was pretty cool and a welcome feature. When testing it out I discovered it did not care about the case of the entered hash, and looking at sshconnect.c I see strcasecmp() is used which explains why. I'm just curious if this was a deliberate decision or if it would make sense to actually care about the case since the base64 encoded sha256 fingerprints contains a mix of upper and lower case characters. Regards, Patrik Lundin
On Tue, 8 Sep 2020, Patrik Lundin wrote:> I'm just curious if this was a deliberate decision or if it would make > sense to actually care about the case since the base64 encoded sha256 > fingerprints contains a mix of upper and lower case characters.Probably a leftover from the MD5 fingerprints, which are hex. I guess the code should check which kind of fingerprint it is first then compare based on that. bye, //mirabilos -- ?MyISAM tables -will- get corrupted eventually. This is a fact of life. ? ?mysql is about as much database as ms access? ? ?MSSQL at least descends from a database? ?it's a rebranded SyBase? ?MySQL however was born from a flatfile and went downhill from there? ? ?at least jetDB doesn?t claim to be a database? (#nosec) ??? Please let MySQL and MariaDB finally die!
On Tue, 8 Sep 2020, Patrik Lundin wrote:> Hello! > > I noticed the ssh client now allows you to paste a fingerprint at the > host key verification question which I thought was pretty cool and a > welcome feature. > > When testing it out I discovered it did not care about the case of the > entered hash, and looking at sshconnect.c I see strcasecmp() is > used which explains why. > > I'm just curious if this was a deliberate decision or if it would make > sense to actually care about the case since the base64 encoded sha256 > fingerprints contains a mix of upper and lower case characters.Yes, it should be case sensitive. I have committed a fix that will be in OpenSSH 8.4. Thanks, Damien