ssh: case insensitive fingerprint validation

Damien Miller djm at mindrot.org
Thu Sep 10 07:58:16 AEST 2020


On Tue, 8 Sep 2020, Patrik Lundin wrote:

> Hello!
> 
> I noticed the ssh client now allows you to paste a fingerprint at the
> host key verification question which I thought was pretty cool and a
> welcome feature.
> 
> When testing it out I discovered it did not care about the case of the
> entered hash, and looking at sshconnect.c I see strcasecmp() is
> used which explains why.
> 
> I'm just curious if this was a deliberate decision or if it would make
> sense to actually care about the case since the base64 encoded sha256
> fingerprints contains a mix of upper and lower case characters.

Yes, it should be case sensitive. I have committed a fix that will
be in OpenSSH 8.4.

Thanks,
Damien


More information about the openssh-unix-dev mailing list