[Bug 3375] New: SHA1 is used as a proof of possession for the RSA key
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Dec 16 20:56:04 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3375
Bug ID: 3375
Summary: SHA1 is used as a proof of possession for the RSA key
Product: Portable OpenSSH
Version: 8.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: dbelyavs at redhat.com
If we need to get a proof of ownership for a RSA key on establishing a
connection, the SHA1 algorithm is used by default (see the ssh_rsa_sign
function). Not sure that it is the best possible option now.
As it is possible to explicitly request the hash, it's worth analyze
the client's capabilities and use SHA2 for this purpose.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list