[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Dec 17 12:24:57 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2007|0 |1
is obsolete| |
Attachment #2429|0 |1
is obsolete| |
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
Status|NEW |ASSIGNED
--- Comment #20 from Damien Miller <djm at mindrot.org> ---
Created attachment 2518
--> https://bugzilla.mindrot.org/attachment.cgi?id=2518&action=edit
FingerprintHash option
This adds a FingerprintHash option to sshd and ssh, and a -E flag to
ssh-add, ssh-agent and ssh-keygen. Fingerprints are now prefixed with
the hash algorithm used and non-MD5 hashes use base64 encoding rather
than hex. The default fingerprint algorithm is SHA256.
Examples:
> ssh-keygen -vlf /etc/ssh/ssh_host_rsa_key.pub
> 2048 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk /etc/ssh/ssh_host_rsa_key.pub (RSA)
> +---[RSA 2048]----+
> | |
> |. |
> |.o . . |
> |= + . E + |
> |.= . . S . o . |
> |o ...... . . + |
> |o++ =o.. o + |
> |=*+=++. . ... |
> |OO++*. o.... .. |
> +----[SHA256]-----+
>
> ssh-keygen -lE md5 -f /etc/ssh/ssh_host_rsa_key.pub
> 2048 MD5:3e:f9:51:d3:29:10:e7:a2:40:6f:2c:d2:7a:4c:bc:b2 /etc/ssh/ssh_host_rsa_key.pub (RSA)
BTW, I chose "FingerprintHash" rather than "FingerprintType" because we
already have different types of fingerprints: hex, bubblebabble and
randomart.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list