p...@centroid.eu wrote:
> Trying to enter an skey system with scp is impossible. Or maybe I'm
> just that stupid.
> >How-To-Repeat:
> scp user:skey@localhost:/tmp/somefile .
> >Fix:
> beta# echo 12 > /tmp/blah
>
> beta# scp pjp:skey@localhost:/tmp/blah .
>
> The authenticity of host 'localhost (127.0.0.1)' can't be established.
> ECDSA key fingerprint is SHA256:AJ079NbvOXgq+ZnRxNOCM+Qoi1yu54pWPTp9TcnHYJk.
> Are you sure you want to continue connecting (yes/no)? yes
>
> Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
> otp-md5 95 beta40350
> S/Key Password:
> blah 100% 3 2.3KB/s 00:00
>
> beta# more blah
>
> 12
>
...
>
> Index: misc.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/misc.c,v
> retrieving revision 1.129
> diff -u -p -u -r1.129 misc.c
> --- misc.c 9 Jun 2018 03:01:12 -0000 1.129
> +++ misc.c 26 Jun 2018 08:42:34 -0000
> @@ -521,8 +521,13 @@ colon(char *cp)
> flag = 1;
> if (*cp == ']' && *(cp+1) == ':' && flag)
> return (cp+1);
> - if (*cp == ':' && !flag)
> - return (cp);
> + if (*cp == ':' && !flag) {
> + /* check for :skey@ addition */
> + if (*(cp+1) == 's' && *(cp+5) =='@')
> + continue;
> + else
> + return (cp);
That diff is crazy and wrong.
First off, the string could be less than 5 long, so you are
reaching beyond the end, example:
scp pjp:s .
Secondly, :skey is only one form of 4.4BSD/OpenBSD login service.
Some of them are listed in the AUTHENTICATION section of login.conf(5)
Thirdly, it becomes impossible to copy certain filenames that contain
an :, therefore this is no longer backwards compatible and may affect
other use cases, which may even exist in the wild today.
Fourth: such string seperation will also impacts non-OpenBSD systems
with different authentication support, because the change will land
in OpenSSH-portable.
I don't think this is the way to handle the problem.
