[Bug 3781] New: IPv6 inconsistency causes TOFU

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jan 29 22:07:03 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3781

            Bug ID: 3781
           Summary: IPv6 inconsistency causes TOFU
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: All
                OS: Other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sshbugs.to.davies at spamgourmet.com

I have anonymised potentially identifiable data in my commands and
outputs. I have been allocated a /64 IPv6 range, the fourth group of
which is 0. If I replace the IPv6 host pattern in known_hosts with
xxxx:yyyy:zzzz:*, the certificate works, but would also work for
networks outside my allocated range. If I change it to
xxxx:yyyy:zzzz::* it also works for this particular address, but fails
for some addresses that are generated dynamically. The only solution I
can see is to use two patterns for the same range. This breaks the
principles of both least astonishment and DRY. Since, as demonstrated
by the second test, ssh converts IPv6 addresses from the command line,
would it be possible to carry out the same conversion on addresses from
known_hosts? Perhaps CIDR would do the job. If not, please could this
behaviour and the need for two ranges (or a better workaround) be
documented somewhere?

C:\Users\Administrator>c:\cwrsync_6.3.0_x64_free\bin\ssh
user at xxxx:yyyy:zzzz::f3
The authenticity of host 'xxxx:yyyy:zzzz::f3 (xxxx:yyyy:zzzz::f3)'
can't be established.
ED25519 key fingerprint is
SHA256:qwerqwerqwerqwerqwerqwerqwerqwerqwerqwerqwe.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.

C:\Users\Administrator>c:\cwrsync_6.3.0_x64_free\bin\ssh
user at xxxx:yyyy:zzzz:0::f3
The authenticity of host 'xxxx:yyyy:zzzz::f3 (xxxx:yyyy:zzzz::f3)'
can't be established.
ED25519 key fingerprint is
SHA256:qwerqwerqwerqwerqwerqwerqwerqwerqwerqwerqwe.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.

C:\Users\Administrator>cat \cwrsync_6.3.0_x64_free\known_hosts
@cert-authority
*.lan.xxxxxxxxxxxxxx,192.168.51.*,192.168.1.*,192.168.13.*,xxxx:yyyy:zzzz:0:*
ssh-ed25519
asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf
host_ca.pub

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list