[Bug 2520] New: ssh-keygen: sanitize ANSI escape sequences in key comment
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Jan 6 06:15:44 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2520
Bug ID: 2520
Summary: ssh-keygen: sanitize ANSI escape sequences in key
comment
Product: Portable OpenSSH
Version: 7.1p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: rohieb+bugzillamindrotorg at rohieb.name
Created attachment 2775
--> https://bugzilla.mindrot.org/attachment.cgi?id=2775&action=edit
public key with ANSI escape sequences
I noticed that ssh-keygen prints most non-printable characters in the
comment as-is when showing the fingerprint of a key. This can lead to
confusing output on the terminal when the comment contains ANSI escape
characters which are interpreted by the terminal. The attached public
key file serves as an example, which, when fingerprinted on my Linux
terminal, looks like this:
$ ssh-keygen -E sha256 -lf test.pub
1024 MD5:de:ad:be:ef:00:7h:15:15:af:0r:6e:d0:ha:5h:00:00
nobody at example.org (RSA)
... in nice rainbow colors (see attached screenshot). Also note that a
SHA256 hash was requested whereas the output is an MD5 hash (which also
contains invalid characters, so it cannot really be an MD5 hash...),
but you get the point that, in general, this technique can be used to
suppress the real fingerprint of a key and let the user see a different
one.
For this reason, I suggest applying the attached patch (based on commit
271df81 from the OpenSSH Portable GitHub repository), which emplys
strvis() to escape possibly dangerous characters in the comment prior
to printing it to the terminal. This should serve as a sufficient
workaround for the obfuscating escape behaviour of the underlying
terminal emulator.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list