[PATCH] regression of comment extraction in private key file without passphrase

Loïc loic at venez.fr
Fri Apr 17 18:25:51 AEST 2020 

Hi

Le 17/04/2020 à 05:52, Damien Miller a écrit :
> On Wed, 15 Apr 2020, Loïc wrote:
>
>> Hello,
>>
>> In one recent change
>> (https://anongit.mindrot.org/openssh.git/commit/?id=2b13d3934d5803703c04803ca3a93078ecb5b715),
>> I noticed a regression.
>>
>> If ssh-keygen is given a private file without passphrase and without the
>> corresponding .pub file, I doesn't extract the comment after the commit,
>> while it did before:
>>
>> Before the commit:
>>
>> $ ./ssh-keygen -q -t dsa -N '' -C foobar -f test_dsa
>> $ ./ssh-keygen -l -f test_dsa
>> 1024 SHA256:/E/JUVD3FO4vHYs+8RfXJW+ah4H4bHcBrCRKFcfZSJk foobar (DSA)
>> $ rm test_dsa.pub
>> $ ./ssh-keygen -l -f test_dsa
>> 1024 SHA256:/E/JUVD3FO4vHYs+8RfXJW+ah4H4bHcBrCRKFcfZSJk foobar (DSA)
>>
>> Last command after the commit:
>>
>> $ ./ssh-keygen -l -f test_dsa
>> 1024 SHA256:/E/JUVD3FO4vHYs+8RfXJW+ah4H4bHcBrCRKFcfZSJk no comment (DSA)
>>
>> It is due to the fact that the 'sshkey_load_public' function is now
>> finishing by sshkey_load_public_from_private, which is not failing on a
>> (new format) private file. Previously, if did fail and so the
>> fingerprint_private function was calling sshkey_load_private without
>> passphrase as a fallback.
>>
>>
>> I suggest to move the fallback inside the sshkey_load_public, so to call
>> the sshkey_load_private without passphrase in the sshkey_load_public
>> before extracting the public key from the private file.
>>
>> Here is the suggested patch below.
> IMO it's easier to flip the order of operations in
> ssh-keygen.c:fingerprint_private():

Yes, your patch is simpler. Unfortunately, it also has a regression when
the private key file is in the old format which doesn't contain the
comment and when the .pub is not removed which is a more common case
probably:

On latest git:

$ ./ssh-keygen -q -m PEM -t dsa -N '' -C foobar -f test_dsa
$ ./ssh-keygen -l -f test_dsa
1024 SHA256:Yqp+0QYlbsfJotozWtbWVHv+WAAu2PEFwo2ZTeRPzv8 no comment (DSA)

With openssh version 8.2:

$ ssh-keygen -l -f test_dsa
1024 SHA256:Yqp+0QYlbsfJotozWtbWVHv+WAAu2PEFwo2ZTeRPzv8 foobar (DSA)

Best regards

Loïc

More information about the openssh-unix-dev mailing list