[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)

Wed Dec 17 12:24:57 EST 2014

https://bugzilla.mindrot.org/show_bug.cgi?id=1872

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2007|0                           |1
        is obsolete|                            |
   Attachment #2429|0                           |1
        is obsolete|                            |
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
             Status|NEW                         |ASSIGNED

--- Comment #20 from Damien Miller <djm at mindrot.org> ---
Created attachment 2518
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2518&action=edit
FingerprintHash option

This adds a FingerprintHash option to sshd and ssh, and a -E flag to
ssh-add, ssh-agent and ssh-keygen. Fingerprints are now prefixed with
the hash algorithm used and non-MD5 hashes use base64 encoding rather
than hex. The default fingerprint algorithm is SHA256.

Examples:

> ssh-keygen -vlf /etc/ssh/ssh_host_rsa_key.pub  
> 2048 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk /etc/ssh/ssh_host_rsa_key.pub (RSA)
> +---[RSA 2048]----+
> |                 |
> |.                |
> |.o        .   .  |
> |= +    . E   +   |
> |.= . .  S . o .  |
> |o ...... . . +   |
> |o++ =o..  o +    |
> |=*+=++. .  ...   |
> |OO++*. o.... ..  |
> +----[SHA256]-----+
> 
> ssh-keygen -lE md5 -f /etc/ssh/ssh_host_rsa_key.pub
> 2048 MD5:3e:f9:51:d3:29:10:e7:a2:40:6f:2c:d2:7a:4c:bc:b2 /etc/ssh/ssh_host_rsa_key.pub (RSA)

BTW, I chose "FingerprintHash" rather than "FingerprintType" because we
already have different types of fingerprints: hex, bubblebabble and
randomart.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.