Hi, Today I fiddled around a bit with my OpenSSH public key files, and I noticed that ssh-keygen prints most non-printable characters in the comment as-is when showing the fingerprint of a key. This can lead to confusing output on the terminal when the comment contains ANSI escape characters which are interpreted by the terminal. The attached public key file serves as an example, which, when fingerprinted on my Linux terminal, looks like this: $ ssh-keygen -E sha256 -lf test.pub 1024 MD5:de:ad:be:ef:00:7h:15:15:af:0r:6e:d0:ha:5h:00:00 nobody@xxxxxxxxxxx (RSA) ... in nice rainbow colors (see [0] for a screenshot). Also note that a SHA256 hash was requested whereas the output is an MD5 hash (which also contains invalid characters, so it cannot really be an MD5 hash...), but you get the point that, in general, this technique can be used to suppress the real fingerprint of a key and let the user see a different one. For this reason, I suggest applying the attached patch (based on commit 271df81 from the OpenSSH Portable GitHub repository), which replaces escape characters (0x1b) in the key comment with a full stop prior to printing it to the terminal. This should serve as a sufficient workaround for the obfuscating escape behaviour of the underlying terminal emulator. Since this is my first patch to OpenSSH, I'm very open for feedback :-) Regards, - Roland [0]: https://rohieb.name/stuff/Selection_609.png
Attachment:
test.pub
Description: application/vnd.ms-publisher
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev