[Bug 2803] New: User input for cont.connection w/ new key doesn't checks properly

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Dec 3 11:44:22 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2803

            Bug ID: 2803
           Summary: User input for cont.connection w/ new key doesn't
                    checks properly
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ntfs.hard at gmail.com

When you connecting to an unknown server you will get a message
"The authenticity of host ABC can't be established.
ECDSA key fingerprint is SHA256:XYZ.
Are you sure you want to continue connecting (yes/no)?"

If you type 'yesno' for example it will be treated as 'yes'

It looks like the issue in `sshconnect.c: static int confirm(const char
*prompt)` function. It checks only 2||3 symbols from user input:
strncasecmp(p, "no", 2)||strncasecmp(p, "yes", 3)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list