Steps to reproduce: $ ssh-keygen -Y find-principals -s nauka1.txt.sig -f /dev/urandom /dev/urandom:1: invalid key /dev/urandom:2: invalid line /dev/urandom:4: invalid key /dev/urandom:5: invalid key Segmentation fault (core dumped) I don't have a patch yet.
I managed to identify minimal malformed input that crashes the program: $ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf "?\x00\n" ) -I a < ed25519.c The problem is probably with strdelim_internal() function [misc.c:398] When it cannot find accepted separator (whitespaces, quotes), it returns the original pointer, but also it sets value passed by pointer (char **s) to NULL. This value is never checked in parse_principals_key_and_options() [sshsig.c:718] and ultimately passed to sshkey_read() I added following check right before a call to sshkey_read(): if (cp == NULL) { error("%s:%lu: invalid line", path, linenum); r = SSH_ERR_INVALID_FORMAT; goto out; } And it seems to solve this problem. However, I think that parse_principals_key_and_options() function should have some extra pre-check, that would immediately eliminate malformed lines, especially these containing 0x00 and other non-printable characters.
Thanks, I committed a similar fix. It will be in the OpenSSH 9.0 release, due very soon.
closing bug resolved during openssh-9.0 release cycle