[Bug 2332] New: Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 8 05:16:21 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2332

            Bug ID: 2332
           Summary: Show more secure fingerprints than MD5 (e.g. SHA256)
                    in ssh and ssh-keygen
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kolAflash at kolahilft.de

When connecting to a server the first time, the only information you
get about the servers public key fingerprint in MD5.

Since all I know, MD5 is pretty much broken for security purposes.

Guess it would be wise, to additionally (not exclusively) display a
more secure fingerprint. Probably SHA256 or SHA512 would be great.

By command-line option ssh could also display the full key. (which
isn't that long, especially for ed25519)

ssh-keygen -l -f key-file.pub
Also needs to be able to show a better hash function.

--

This is the only way I currently know, to calculate a SHA256
fingerprint from shell.

openssl pkcs8 -in /etc/ssh/ssh_host_rsa_key.pub -nocrypt -topk8
-outform DER | openssl sha256 -c

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list