openssh bugs - Jun 2016 - [Bug 2591] New: ssh-keygen -R is case-sensitive, but should not be

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

            Bug ID: 2591
           Summary: ssh-keygen -R is case-sensitive, but should not be
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: griff.miller at oplink.net

Hostnames and domains are case-insensitive, but ssh-keygen -R is not
honoring this.

With openssh-7.2p2 Cygwin/Windows 7 (I've also seen the same behavior
on
RHEL/CentOS with 5.3p1 and 6.6.1p1):

% grep -i myhost ~/.ssh/known_hosts # to show myhost is not there yet
% ssh gmiller at Myhost.domain.com date # this will put myhost there if
I say
"yes", which I will do. Note mixed case.
The authenticity of host 'myhost.domain.com (1.2.3.4)' can't be
established.
RSA key fingerprint is
SHA256:kr1BeHAQgtdws3gB1NPpKtVDm9OPJ8Gg1loyiDC1z8Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'myhost.domain.com,1.2.3.4' (RSA) to the
list
of known hosts.

Fri Apr 15 15:19:54 EDT 2016
% grep -i myhost ~/.ssh/known_hosts # to show that myhost is now in
known_hosts - note it has been smashed to lowercase, which is okay.
myhost.domain.com,1.2.3.4 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k%
ssh-keygen -R Myhost.domain.com # now try to remove it. Case should
not
matter here.
Host Myhost.domain.com not found in /home/millerig/.ssh/known_hosts
% grep -i myhost ~/.ssh/known_hosts # ...but it does. Show that it is
still there.
myhost.domain.com,1.2.3.4 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k%
ssh-keygen -R myhost.domain.com # this time it will work because we
made
sure to use lower case.
# Host myhost.domain.com found: line 14
/home/millerig/.ssh/known_hosts updated.
Original contents retained as /home/millerig/.ssh/known_hosts.old
% grep -i myhost ~/.ssh/known_hosts # show that it's gone
%

Seems like ssh-keygen -R is performing a case-sensitive string compare
on
the provided hostname and the hostnames in the known_hosts file. It
should
be a case-insensitive compare.

I can fix my scripts so that I convert to lowercase before calling
ssh-keygen -R, but it would be nice if this could be fixed so that
others
don't get caught by surprise.

P.S. The same issue exists for the domain portion of the
fully-qualified
hostname.

P.P.S. I will upload a patch that I did, with input from ?ngel
Gonz?lez.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

--- Comment #1 from Griff Miller II <griff.miller at oplink.net> ---
Created attachment 2841
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2841&action=edit
Proposed patch for ssh-keygen -R case sensitivity bug

?ngel Gonz?lez helped develop this patch.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 2847
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2847&action=edit
lowercase filenames as they are added

I'm wary of changing the semantics for matching, since it's very likely
that users are inadvertently depending on this - it has been this way
for ~20 years.

I think it would be safer if we lowercase hostnames *as they are
added*. This avoids changing semantics for existing hosts but lets new
ones be stored in the canonical format.

Does this solve the problem for you?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

--- Comment #3 from Griff Miller II <griff.miller at oplink.net> ---
Hi, Damien.

I guess I can't think of any way a user would depend on "ssh-keygen -R
Myhost" not to remove while depending on "ssh-keygen -R myhost"
to
remove, unless they were doing something insane like trying to use the
success or failure of the removal as a means to determine if they had
uppercase letters in their indicated hostname. :) The two commands mean
exactly the same thing, and should produce the same result.

By the way, the hostnames are already being lowercased when they are
added to known_hosts. So thanks, but no, it does not solve the problem
for me.

While it's unlikely that a user would interactively type "ssh-keygen -R
THEHOST" they do have to know enough inside baseball to code
"ssh-keygen -R ${thehost,,}" (bash example) in scripts instead of
"ssh-keygen -R $thehost" .

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2847|0                           |1
        is obsolete|                            |
                 CC|                            |dtucker at zip.com.au
             Status|NEW                         |ASSIGNED
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #2959|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2959
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2959&action=edit
A couple more cases

always lowercase hostnames before hashing them or adding them unhashed
to known_hosts

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2959|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Blocks|                            |2647
             Status|ASSIGNED                    |RESOLVED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Patch applied. This will be in OpenSSH 7.5


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2591

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.