[Bug 3753] New: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Nov 20 00:59:24 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Bug ID: 3753
Summary: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by
default
Product: Portable OpenSSH
Version: 9.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: pemensik at redhat.com
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub generates SSHFP
records for inclusion in DNS. But that includes SHA1 digest, which
should not be used anymore for verification of key status.
Minor issue in manual page is that it does not mention -O is also
supported in -r mode. In top SYNOPSIS section, -r hostname does not
contain [-O option], like -M generate below it. But it accepts options.
I can get desired behaviour by:
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub -O hashalg=sha256
But I think -O hashalg=sha1 should be mandatory to print SHA1 digests.
It should be omitted by default.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list