[Bug 2520] New: ssh-keygen: sanitize ANSI escape sequences in key comment

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Jan 6 06:15:44 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2520

            Bug ID: 2520
           Summary: ssh-keygen: sanitize ANSI escape sequences in key
                    comment
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rohieb+bugzillamindrotorg at rohieb.name

Created attachment 2775
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2775&action=edit
public key with ANSI escape sequences

I noticed that ssh-keygen prints most non-printable characters in the
comment as-is when showing the fingerprint of a key. This can lead to
confusing output on the terminal when the comment contains ANSI escape
characters which are interpreted by the terminal. The attached public
key file serves as an example, which, when fingerprinted on my Linux
terminal, looks like this:

$ ssh-keygen -E sha256 -lf test.pub
1024 MD5:de:ad:be:ef:00:7h:15:15:af:0r:6e:d0:ha:5h:00:00
nobody at example.org (RSA)

... in nice rainbow colors (see attached screenshot). Also note that a
SHA256 hash was requested whereas the output is an MD5 hash (which also
contains invalid characters, so it cannot really be an MD5 hash...),
but you get the point that, in general, this technique can be used to
suppress the real fingerprint of a key and let the user see a different
one.

For this reason, I suggest applying the attached patch (based on commit
271df81 from the OpenSSH Portable GitHub repository), which emplys
strvis() to escape possibly dangerous characters in the comment prior
to printing it to the terminal.  This should serve as a sufficient
workaround for the obfuscating escape behaviour of the underlying
terminal emulator.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list