[Bug 3375] New: SHA1 is used as a proof of possession for the RSA key

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Dec 16 20:56:04 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3375

            Bug ID: 3375
           Summary: SHA1 is used as a proof of possession for the RSA key
           Product: Portable OpenSSH
           Version: 8.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dbelyavs at redhat.com

If we need to get a proof of ownership for a RSA key on establishing a
connection, the SHA1 algorithm is used by default (see the ssh_rsa_sign
function). Not sure that it is the best possible option now. 

As it is possible to explicitly request the hash, it's worth analyze
the client's capabilities and use SHA2 for this purpose.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list