[Bug 2332] Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun May 3 09:13:14 AEST 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Max Polk <maxpolk at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED
                 CC|                            |maxpolk at gmail.com

--- Comment #8 from Max Polk <maxpolk at gmail.com> ---
Request for two small man page documentation changes.

The 6.8 release notes state, "The default changes from MD5 to SHA256
and
format from hex to base64" for host fingerprint display in ssh, and on
the server in ssh-keygen when looking at the server key in order to
compare.

I discovered that when a 6.8 ssh client connects to a 6.7 or older
server, the server side ssh-keygen doesn't have the new "-E" option,
and still shows you only the md5-based, hex-formatted, key.  The
suggested command in the ssh man page doesn't help:

  $ ssh-keygen -l -f /etc/ssh_host_rsa_key

To verify, the option on the client side is to downgrade ssh to use the
md5 fingerprint:

  $ ssh -o FingerprintHash=md5 HOST

To verify, the option on the server side is to manually calculate the
new style fingerprint:

  $ cat /etc/ssh/ssh_host_ecdsa_key.pub | cut -d ' ' -f 2 | base64 -d |
openssl sha256 -binary | base64

Can the ssh documentation be updated, under the "VERIFYING HOST KEYS"
manual section, to state how to downgrade to md5 when connecting to
older hosts?  Or if not, could the option "FingerprintHash" at least be
mentioned there?  That special option is mentioned only once later in
the long listing of options under the -o stanza.

I ask this, because getting verification to work with the new ssh
client was very difficult.  I thought I lost the capability and ended
up coming up with that manual server-side way to calculate the new
style finterprint:

  SERVER public key file: base64(binarykey)
  SSH command: base64(sha256(binarykey))
  SSH-KEYGEN command: hex(md5(binarykey))      # older server

It is a huge usability problem to seemingly lose this verification
going between 6.8 client and 6.7 and older server.  It was not lost,
just difficult to discover, so I'm reopening this for two documentation
updates to make the user experience a lot easier when they face the
same problem I did.

Also, can we update the ssh_config documentation to note that not only
is the hash being switched, but also the format (base64 vs hex)? 
Client downgrading from sha256 to md5 using FingerprintHash switches
from sha256 to md5 (as documented), but it also switches the formatting
from base64 to hex (not documented).  Example:

  SHA256:mIfDbTHZHp8n8HT/R04oKL2lzXwje8A07P6WTjEp20A
  MD5:bc:b1:82:45:1c:94:ae:cf:bd:b3:8f:63:75:0c:2f:f3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list