bugzilla-daemon at bugzilla.mindrot.org
2017-Jul-24 15:51 UTC
[Bug 2747] New: Different notations for the same IP-address result in multiple entries in known_hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2747 Bug ID: 2747 Summary: Different notations for the same IP-address result in multiple entries in known_hosts Product: Portable OpenSSH Version: 7.5p1 Hardware: Other OS: FreeBSD Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mi+mindrot at aldan.algebra.com When checking the known_hosts-database for an IP-address, the client is not attempting to normalize the IP. For example, connecting to the following destinations in sequence: * 10.10.220.46 * 168483886 * 0xa0adc2e * 0x0a0adc2e * 0x00a0adc2e * 0x000a0adc2e triggers the "are you sure?" warning each time -- and a separate line in the ~/.ssh/known_hosts for each -- with the same host-key, of course. To solve this, OpenSSH developers need to agree on the "canonical" representation for IPv4 (and IPv6!) addresses. Then the client-side needs to be modified to: 1. When looking up the host in the list, look for the canonical representation first. If no entry is found, look for the few other possible representations and, if found, quietly convert/merge such entry(ies) into canonical. 2. When adding a new entry, always add it in the canonical form regardless of the command-line. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jul-24 15:52 UTC
[Bug 2747] Different notations for the same IP-address result in multiple entries in known_hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2747 Mikhail T. <mi+mindrot at aldan.algebra.com> changed: What |Removed |Added ---------------------------------------------------------------------------- OS|FreeBSD |All Severity|enhancement |minor Hardware|Other |All -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jul-24 15:54 UTC
[Bug 2747] Different notations for the same IP-address result in multiple entries in known_hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2747 --- Comment #1 from Mikhail T. <mi+mindrot at aldan.algebra.com> --- There is, actually, a security implication to this bug -- a MITM attack may be made possible by sending the user to the host identified by the same IP-address in a different notation. Instead of a "the host's key has changed" *error*, they'll get a "would you like to add this key" *warning*... -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-25 03:34 UTC
[Bug 2747] Different notations for the same IP-address result in multiple entries in known_hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2747 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Damien Miller <djm at mindrot.org> --- This was fixed in openssh-7.7. Addresses are now canonicalised by default. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:17 UTC
[Bug 2747] Different notations for the same IP-address result in multiple entries in known_hosts
https://bugzilla.mindrot.org/show_bug.cgi?id=2747 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- Close RESOLVED bugs with the release of openssh-8.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.