2803 – User input for cont.connection w/ new key doesn't checks properly

Bug 2803 - User input for cont.connection w/ new key doesn't checks properly

Summary: User input for cont.connection w/ new key doesn't checks properly

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	7.6p1
Hardware:	All All

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Duplicates (1):	2981 (view as bug list)
Depends on:
Blocks:	V_7_7
	Show dependency tree / graph

Reported:	2017-12-03 11:44 AEDT by Derbasov, Maksim
Modified:	2019-05-10 14:41 AEST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Derbasov, Maksim 2017-12-03 11:44:22 AEDT

When you connecting to an unknown server you will get a message
"The authenticity of host ABC can't be established.
ECDSA key fingerprint is SHA256:XYZ.
Are you sure you want to continue connecting (yes/no)?"

If you type 'yesno' for example it will be treated as 'yes'

It looks like the issue in `sshconnect.c: static int confirm(const char *prompt)` function. It checks only 2||3 symbols from user input: strncasecmp(p, "no", 2)||strncasecmp(p, "yes", 3)

Comment 1 Damien Miller 2018-01-05 13:48:23 AEDT

Fixed in rev e0ce54c0b and will be in OpenSSH 7.7 - thanks!

commit e0ce54c0b9ca3a9388f9c50f4fa6cc25c28a3240
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Wed Dec 6 05:06:21 2017 +0000

    upstream commit
    
    don't accept junk after "yes" or "no" responses to
    hostkey prompts. bz#2803 reported by Maksim Derbasov; ok dtucker@
    
    OpenBSD-Commit-ID: e1b159fb2253be973ce25eb7a7be26e6f967717c

Comment 2 Damien Miller 2018-04-06 12:26:52 AEST

Close all resolved bugs after release of OpenSSH 7.7.

Comment 3 Damien Miller 2019-05-10 14:41:29 AEST

*** Bug 2981 has been marked as a duplicate of this bug. ***