[Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8

Thu Aug 6 00:26:32 AEST 2015

https://bugzilla.mindrot.org/show_bug.cgi?id=2439

            Bug ID: 2439
           Summary: New sha256-base64 SSH Fingerprints in openssh-6.8
           Product: Portable OpenSSH
           Version: 6.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Based on our Fedora bug [1] I started investigation what is up to with
the new Fingerprint hashes in openssh-6.8. I found one inconsistency
and a usability problem.

 1) First of all manual pages mention that: 

> Valid options are: “md5” and “sha256”.

but both config parser and all tools accepts ALL digests defined in
"digest-{openssl,glibc}.c" in array digests[], which contains much more
of them and which do not have any support and can lead to
misunderstanding. I propose to strip the list according to
documentation. But it collides a bit with the other proposal:

 2) As I stated in previously mentioned bugzilla, it would be great to
have the way to show more Fingerprint types, since the most of the
servers still provide only the old fingerprint (and for some years
probably will). Also it is not preferable to stuck with old md5 as
default. You can admit, that users can always do

 $ ssh server -oFingerprintHash=md5

but it is probably too much for users if they really want to verify
fingerpring provided through other channel.

My proposal is to add ability to provide a list of digest that will be
printed (not only one) and as a transition default use both available:
"sha256,md5".

I don't have a patch yet, but if there would be some idea how can we
make the transition more smooth, feel free to comment.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1249626

-- 
You are receiving this mail because:
You are watching the assignee of the bug.