2692 – Hash does not include the port

Bug 2692 - Hash does not include the port

Summary: Hash does not include the port

Status:	RESOLVED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-keyscan (show other bugs)
Version:	7.4p1
Hardware:	Other Linux

Importance:	P5 minor
Assignee:	Damien Miller

URL:
Keywords:

Depends on:
Blocks:	V_7_5
	Show dependency tree / graph

Reported:	2017-03-09 04:55 EST by Josh Powers
Modified:	2017-03-10 14:18 EST (History)
CC List:	2 users (show)

See Also:

Attachments
include port in ssh-keyscan hash (774 bytes, patch) 2017-03-10 13:42 EST, Damien Miller	dtucker: ok+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josh Powers 2017-03-09 04:55:49 EST

This was reported to Ubuntu and I wanted to follow up with the openssh maintainers as to the expected behavior to verify if this is in fact a bug.

When running an ssh-keyscan with the -H option on a custom port the port is not included in the hash and is in plain text. For example:
$ ssh-keyscan -H -p 2222 10.10.10.10
[|1|HASHED_IP]:2222 ssh-rsa MY_RSA_KEY

If however I run ssh-keygen without the -H and then come back with ssh-keygen it will hash the port:
$ ssh-keyscan -p 2222 10.10.10.10 > ~/.ssh/authorized_keys
[10.10.10.10]:2222 ssh-rsa MY_RSA_KEY
$ ssh-keygen -H -f ~/.ssh/authorized_keys
$ cat ~/.ssh/authorized_keys
|1|HASHED_IP_AND_PORT ssh-rsa MY_RSA_KEY

Should ssh-keyscan also be hashing the port?

Comment 1 Damien Miller 2017-03-10 13:42:31 EST

Created attachment 2956 [details]
include port in ssh-keyscan hash

ssh-keyscan is in error here. It's supposed to include the port in the hash as ssh and ssh-keygen do.

Comment 2 Damien Miller 2017-03-10 14:18:39 EST

Patch applied. This will be in OpenSSH 7.5, due soon.