[Bug 2786] New: New OpenSSH fails to parse public keys with bogus whitespace
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Sep 28 00:54:32 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2786
Bug ID: 2786
Summary: New OpenSSH fails to parse public keys with bogus
whitespace
Product: Portable OpenSSH
Version: 7.5p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3062
--> https://bugzilla.mindrot.org/attachment.cgi?id=3062&action=edit
do not be strict about whitespace in public keys
OpenSSH prior 6.7 were more benevolent about whitespace around public
key blob. The first of the following keys is parsed properly, but the
second is not:
ssh-rsa AAAAB3NzaC1yc2EAAAAB.... blah at example.com
ssh-rsa AAAAB3NzaC1yc2EAAAAB.... blah at example.com
This was changed in the commit [1], which moved away from uudecode()
function (which was skipping bogus whitespace) to sshbuf_b64tod()
function (which is already getting zero-length buffer from
sshkey_read(), because strchr(cp, ' ') returns the immediately
following space in the above example).
The documentation is clear that there should be only single whitespace,
but being benevolent about the whitespace is good, especially in case
of handling public keys, which can come from various sources, for
example users pasting them through web interface (github, gitlab, ...).
The attached one-line patch is skipping the whitespace and returns to
the old behavior.
This bug is based on the Red Hat bugzilla [2].
[1] https://github.com/openssh/openssh-portable/commit/8668706d
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1493406
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list