[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Sep 20 04:24:06 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
--- Comment #6 from Petr Menšík <pemensik at redhat.com> ---
Related:
- https://datatracker.ietf.org/doc/draft-ietf-dnsop-must-not-sha1/
-
https://www.sidn.nl/en/news-and-blogs/algorithms-based-on-outdated-sha-1-cryptography-to-be-removed-from-dnssec-protocol
Because DS records should not be used, I think SSHFP records should
likewise avoid generating SHA1 digests of any key algorithms. For a
good reason ssh-keygen -l does not print SHA1 digest. But can be
enabled by ssh-keygen -l -E SHA1. I propose to do the same thing with
SSHFP generators.
Ideally it should also ignore SHA1 digest when SHA256 digest were
fetched too.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list