[Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Aug 6 00:26:32 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Bug ID: 2439
Summary: New sha256-base64 SSH Fingerprints in openssh-6.8
Product: Portable OpenSSH
Version: 6.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Based on our Fedora bug [1] I started investigation what is up to with
the new Fingerprint hashes in openssh-6.8. I found one inconsistency
and a usability problem.
1) First of all manual pages mention that:
> Valid options are: “md5” and “sha256”.
but both config parser and all tools accepts ALL digests defined in
"digest-{openssl,glibc}.c" in array digests[], which contains much more
of them and which do not have any support and can lead to
misunderstanding. I propose to strip the list according to
documentation. But it collides a bit with the other proposal:
2) As I stated in previously mentioned bugzilla, it would be great to
have the way to show more Fingerprint types, since the most of the
servers still provide only the old fingerprint (and for some years
probably will). Also it is not preferable to stuck with old md5 as
default. You can admit, that users can always do
$ ssh server -oFingerprintHash=md5
but it is probably too much for users if they really want to verify
fingerpring provided through other channel.
My proposal is to add ability to provide a list of digest that will be
printed (not only one) and as a transition default use both available:
"sha256,md5".
I don't have a patch yet, but if there would be some idea how can we
make the transition more smooth, feel free to comment.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1249626
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list