[Bug 3753] New: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Nov 20 00:59:24 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3753

            Bug ID: 3753
           Summary: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by
                    default
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: pemensik at redhat.com

ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub generates SSHFP
records for inclusion in DNS. But that includes SHA1 digest, which
should not be used anymore for verification of key status.

Minor issue in manual page is that it does not mention -O is also
supported in -r mode. In top SYNOPSIS section, -r hostname does not
contain [-O option], like -M generate below it. But it accepts options.

I can get desired behaviour by:
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub -O hashalg=sha256

But I think -O hashalg=sha1 should be mandatory to print SHA1 digests.
It should be omitted by default.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list