[Bug 2074] New: Host key verification incorrectly handles IPv6 addresses

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Feb 23 21:59:39 EST 2013


            Bug ID: 2074
           Summary: Host key verification incorrectly handles IPv6
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Keywords: needs-release-note
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tomaxuser at gmail.com

Host key verification does not handle different but equivalent
notations of an IPv6 address as one. This affects but may be not
limited to usage of ::.

Steps to reproduce:
1. ssh to ::1
2. confirm host key
3. cancel session
(3a. ssh to ::1 again to check that no verification is needed and host
is known)
4. ssh to ::0:1
5. host key confirmation needed
6. cancel session
7. ssh to 0:0:0:0:0:0:0:1
8. host key confirmation needed
9. cancel session

Expected result is that in steps 5 and 8 no confirmation is required
and ssh recognizes that the IP addresses are equivalent with the first
one (per http://tools.ietf.org/html/rfc5952#section-4).

Suggested solution is to canonicalize IPv6 addressees when comparing
them in host key verification.

This affects at least distribution 5.5p1 on Debian Squeeze and 6.1p1
built from source, but probably affects all OSes.

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list