ssh-keygen -R is case-sensitive, but should not be

Griff Miller II griff.miller at oplink.net
Sat Apr 16 07:21:06 AEST 2016 

Hostnames and domains are case-insensitive, but ssh-keygen -R is not
honoring this.

With openssh-7.2p2 Cygwin/Windows 7 (I've also seen the same behavior on
RHEL/CentOS with 5.3p1 and 6.6.1p1):

% grep -i myhost ~/.ssh/known_hosts # to show myhost is not there yet
% ssh gmiller at Myhost.domain.com date # this will put myhost there if I say
"yes", which I will do. Note mixed case.
The authenticity of host 'myhost.domain.com (1.2.3.4)' can't be established.
RSA key fingerprint is SHA256:kr1BeHAQgtdws3gB1NPpKtVDm9OPJ8Gg1loyiDC1z8Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'myhost.domain.com,1.2.3.4' (RSA) to the list
of known hosts.

Fri Apr 15 15:19:54 EDT 2016
% grep -i myhost ~/.ssh/known_hosts # to show that myhost is now in
known_hosts - note it has been smashed to lowercase, which is okay.
myhost.domain.com,1.2.3.4 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k=
% ssh-keygen -R Myhost.domain.com # now try to remove it. Case should not
matter here.
Host Myhost.domain.com not found in /home/millerig/.ssh/known_hosts
% grep -i myhost ~/.ssh/known_hosts # ...but it does. Show that it is
still there.
myhost.domain.com,1.2.3.4 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwBsMvQ0wMfDKDXJT092F3NWjv840AHpzP0MWR+vAK1t+Uu5fjh2Jh93GFtwUH6BHCKntA7ZRTryk8xFGxlXy1NEmBzMkzNEDzWtVKBSTwnyxUZHs81r6DWBmJbsqny+lxYcUIUWMvjHis8ms6fT9G5rfde0hoLQzUSCN+L3cE1k=
% ssh-keygen -R myhost.domain.com # this time it will work because we made
sure to use lower case.
# Host myhost.domain.com found: line 14
/home/millerig/.ssh/known_hosts updated.
Original contents retained as /home/millerig/.ssh/known_hosts.old
% grep -i myhost ~/.ssh/known_hosts # show that it's gone
%

Seems like ssh-keygen -R is performing a case-sensitive string compare on
the provided hostname and the hostnames in the known_hosts file. It should
be a case-insensitive compare.

I can fix my scripts so that I convert to lowercase before calling
ssh-keygen -R, but it would be nice if this could be fixed so that others
don't get caught by surprise.

P.S. The same issue exists for the domain portion of the fully-qualified
hostname.

P.P.S Here is a patch I whipped up. I hope it might be useful.

-------------------------------------------------------
% diff match.c ~/osrc/openssh-7.2p2/match.c
121a122
> 	char *low_string = 0;
124c125
< 	u_int i, subi, len = strlen(pattern);
---
> 	u_int i, j, subi, len = strlen(pattern);
156,159c157,165
< 		if (match_pattern(string, sub)) {
< 			if (negated)
< 				return -1;		/* Negative */
< 			else
---
> 		if (low_string) free(low_string);
> 		low_string = malloc(strlen(string) + 1);
> 		for (j = 0; j < strlen(string); ++j) low_string[j] = tolower(string[j]);
> 		low_string[j] = 0;
> 		if (match_pattern((dolower ? low_string : string), sub)) {
> 			if (negated) {
> 				got_positive = -1;		/* Negative */
> 				break;
> 			} else
165,166c171,172
< 	 * Return success if got a positive match.  If there was a negative
< 	 * match, we have already returned -1 and never get here.
---
> 	 * Return success if there was a positive match;
> 	 * return -1 if there was a negative match.
167a174
> 	if (low_string) free(low_string);
-------------------------------------------------------

Griff

More information about the openssh-unix-dev mailing list