Bug 2803

Summary: User input for cont.connection w/ new key doesn't checks properly
Product: Portable OpenSSH Reporter: Derbasov, Maksim <ntfs.hard>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: minor CC: djm, ntfs.hard, troy
Priority: P5    
Version: 7.6p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2782    

Description Derbasov, Maksim 2017-12-03 11:44:22 AEDT 
When you connecting to an unknown server you will get a message
"The authenticity of host ABC can't be established.
ECDSA key fingerprint is SHA256:XYZ.
Are you sure you want to continue connecting (yes/no)?"

If you type 'yesno' for example it will be treated as 'yes'

It looks like the issue in `sshconnect.c: static int confirm(const char *prompt)` function. It checks only 2||3 symbols from user input: strncasecmp(p, "no", 2)||strncasecmp(p, "yes", 3)
Comment 1 Damien Miller 2018-01-05 13:48:23 AEDT 
Fixed in rev e0ce54c0b and will be in OpenSSH 7.7 - thanks!

commit e0ce54c0b9ca3a9388f9c50f4fa6cc25c28a3240
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Dec 6 05:06:21 2017 +0000

    upstream commit
    
    don't accept junk after "yes" or "no" responses to
    hostkey prompts. bz#2803 reported by Maksim Derbasov; ok dtucker@
    
    OpenBSD-Commit-ID: e1b159fb2253be973ce25eb7a7be26e6f967717c
Comment 2 Damien Miller 2018-04-06 12:26:52 AEST 
Close all resolved bugs after release of OpenSSH 7.7.
Comment 3 Damien Miller 2019-05-10 14:41:29 AEST 
*** Bug 2981 has been marked as a duplicate of this bug. ***