[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Apr 18 21:28:31 EST 2014 

https://bugzilla.mindrot.org/show_bug.cgi?id=1872

Petr Lautrbach <plautrba at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |plautrba at redhat.com

--- Comment #15 from Petr Lautrbach <plautrba at redhat.com> ---
The original proposal used SSH_FINGERPRINT_TYPE environmental variable
for configuration finger type. I'd rather use ssh and sshd option for
that.

     FingerprintType
             Specifies the cryptographic hash function to use for keys
fingeprints.
             The supported hashes are: “md5”, “sha1” and “sha256”.

             The default is “md5”


$ ssh -o FingerprintType=sha256  -p 2222 localhost
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be
established.
ECDSA key fingerprint is
[sha256]5b:bc:6c:0a:b2:8d:84:eb:2a:6b:14:92:94:1c:85:b3:82:98:ba:b0:55:fd:2a:61:52:8c:b0:79:49:4b:e7:73.
Are you sure you want to continue connecting (yes/no)

or 

# sshd -o FingerPrintType=sha256 -o Port=2222 -f /etc/ssh/sshd_config
-D -dd
...
debug1: matching key found: file /home/user/.ssh/authorized_keys, line
1 RSA
[sha256]5f:ac:7f:dd:ce:19:46:c4:4d:b5:55:0b:a0:1a:46:49:93:09:31:4d:35:b7:e0:c0:85:d4:69:ec:c9:65:5c:c8
...
debug1: matching key found: file /home/user/.ssh/authorized_keys, line
1 RSA
[sha256]5f:ac:7f:dd:ce:19:46:c4:4d:b5:55:0b:a0:1a:46:49:93:09:31:4d:35:b7:e0:c0:85:d4:69:ec:c9:65:5c:c8
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
Accepted publickey for user from 127.0.0.1 port 50738 ssh2: RSA
[sha256]5f:ac:7f:dd:ce:19:46:c4:4d:b5:55:0b:a0:1a:46:49:93:09:31:4d:35:b7:e0:c0:85:d4:69:ec:c9:65:5c:c8

Similarly for ssh-keygen, ssh-agent and ssh-add but using command line
option. In case of ssh-keygen, it'll be quite hard to find unused
letter.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list