openssh bugs - Jul 2017 - [Bug 2747] New: Different notations for the same IP-address result in multiple entries in known_hosts

https://bugzilla.mindrot.org/show_bug.cgi?id=2747

            Bug ID: 2747
           Summary: Different notations for the same IP-address result in
                    multiple entries in known_hosts
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: Other
                OS: FreeBSD
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mi+mindrot at aldan.algebra.com

When checking the known_hosts-database for an IP-address, the client is
not attempting to normalize the IP. For example, connecting to the
following destinations in sequence:

 * 10.10.220.46
 * 168483886
 * 0xa0adc2e
 * 0x0a0adc2e
 * 0x00a0adc2e
 * 0x000a0adc2e

triggers the "are you sure?" warning each time -- and a separate line
in the ~/.ssh/known_hosts for each -- with the same host-key, of
course.

To solve this, OpenSSH developers need to agree on the "canonical"
representation for IPv4 (and IPv6!) addresses. Then the client-side
needs to be modified to:

 1. When looking up the host in the list, look for the canonical
    representation first. If no entry is found, look for the few
    other possible representations and, if found, quietly convert/merge
    such entry(ies) into canonical.
 2. When adding a new entry, always add it in the canonical form
    regardless of the command-line.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2747

Mikhail T. <mi+mindrot at aldan.algebra.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|FreeBSD                     |All
           Severity|enhancement                 |minor
           Hardware|Other                       |All

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2747

--- Comment #1 from Mikhail T. <mi+mindrot at aldan.algebra.com> ---
There is, actually, a security implication to this bug -- a MITM attack
may be made possible by sending the user to the host identified by the
same IP-address in a different notation.

Instead of a "the host's key has changed" *error*, they'll get
a "would
you like to add this key" *warning*...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2747

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This was fixed in openssh-7.7. Addresses are now canonicalised by
default.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2747

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close RESOLVED bugs with the release of openssh-8.0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.