Bug 2692 - Hash does not include the port
Summary: Hash does not include the port
Status: RESOLVED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keyscan (show other bugs)
Version: 7.4p1
Hardware: Other Linux
: P5 minor
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_7_5
  Show dependency treegraph
 
Reported: 2017-03-09 04:55 EST by Josh Powers
Modified: 2017-03-10 14:18 EST (History)
2 users (show)

See Also:


Attachments
include port in ssh-keyscan hash (774 bytes, patch)
2017-03-10 13:42 EST, Damien Miller
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Josh Powers 2017-03-09 04:55:49 EST
This was reported to Ubuntu and I wanted to follow up with the openssh maintainers as to the expected behavior to verify if this is in fact a bug.

When running an ssh-keyscan with the -H option on a custom port the port is not included in the hash and is in plain text. For example:
$ ssh-keyscan -H -p 2222 10.10.10.10
[|1|HASHED_IP]:2222 ssh-rsa MY_RSA_KEY

If however I run ssh-keygen without the -H and then come back with ssh-keygen it will hash the port:
$ ssh-keyscan -p 2222 10.10.10.10 > ~/.ssh/authorized_keys
[10.10.10.10]:2222 ssh-rsa MY_RSA_KEY
$ ssh-keygen -H -f ~/.ssh/authorized_keys
$ cat ~/.ssh/authorized_keys
|1|HASHED_IP_AND_PORT ssh-rsa MY_RSA_KEY

Should ssh-keyscan also be hashing the port?
Comment 1 Damien Miller 2017-03-10 13:42:31 EST
Created attachment 2956 [details]
include port in ssh-keyscan hash

ssh-keyscan is in error here. It's supposed to include the port in the hash as ssh and ssh-keygen do.
Comment 2 Damien Miller 2017-03-10 14:18:39 EST
Patch applied. This will be in OpenSSH 7.5, due soon.