Package: libssh-4 Version: 0.5.2-1 Severity: normal Dear Maintainer,
The parser of known_hosts file does not fully comply with the specification of known_hosts files as described in sshd(8). More precisely, if an entry contains a comment field (4th field) like in: abel.debian.org,abel,217.140.96.56 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA14isG3iFLMaqbmNoF1rXcG0dPwKWANn7Exi1ZlF52EflIfevLH5qCNg1JpIklwITgreGGrzZmPqWG89mZipz0+oYYDhSQjecGCKrA6QtP93uhFC+8KID0yQw6GmtxtcLZWxthbVZQLbRVjuieYsvXZ4mVEXjsNDXAJKjZHu3ZBlbzATZBWW0k1dE7KC5XKq/w/E5KXD4Jy0AonJdZxnpyNunw04Zt8gfvjIpokq+x8Mwe1+6LZpzCf7Hb+dL7/yYvLcSDLm5wllfuJ9mwRgFFG0Ka2+XFphPS8jzsw5G6M5+niwcKlkVeV43HqOFO7jWHCP/sJMF0+WkmCDOQ1HoCQ== root@abel Then the entry is not processed and libssh asks for user confirmation of the fingerprint. Removing the comment (here "root@abel") fixes the problem. However comment fields are explicitly allowed by the known_hosts spec, and should therefore be supported (they are for example used in the known_hosts provided by DSA, from which the above example is extracted). The problematic code is in src/known_hosts.c around line 153: the code assumes that having four fields imply that this is an old RSA-1 key, which is a wrong assumption. Regards, -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssh-4 depends on: ii libc6 2.13-35 ii libssl1.0.0 1.0.1c-4 ii multiarch-support 2.13-35 ii zlib1g 1:1.2.7.dfsg-13 libssh-4 recommends no packages. libssh-4 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
