[PATCH] Stop generating SSHFP records with SHA1 digest

Petr Menšík pemensik at redhat.com
Sat Sep 20 05:12:06 AEST 2025 

Hello!

I reported bug #3753 [1], but it had not made any progress so far.

I found few minutes to look into openssh-10.0p1, and found the change is 
rather simple. Because ssh-keygen -l does not print SHA1 for a good 
reason anymore, I think it should stop generating also SSHFP records 
with SHA1 digests. These can be signed by DNSSEC and then avoid blind 
leap of faith when first connecting to a new host.

It will make it possible to request sha1 explcitly, but by default it 
would print only SSHFP algorithm 2 records.

it would make just half of records when ssh-keygen -r localhost command 
is used.

$ ssh-keygen -r localhost
localhost IN SSHFP 1 1 3a4c9decaa9b93186b1378adf9470057f8713ec6
localhost IN SSHFP 1 2 
d4b096c0dbfedabc6312ddf1d859cfd61477e9c279627ceb69ab91785ecc2ea3
localhost IN SSHFP 3 1 8fc2e422305df6da80038e94bd9c76da7877debd
localhost IN SSHFP 3 2 
67e838434d0660427c923ee080f6b2676716bd544054612da6df03f2ab54e9d5
localhost IN SSHFP 4 1 d46401e7669ddda2b1e4a497afa5e694ee9407dd
localhost IN SSHFP 4 2 
b7de03f31b349036de5464068771cf8a940da8ace6ec2ad6fa1709a148baffe5

will become just:

$ ./ssh-keygen -r localhost
localhost IN SSHFP 1 2 
d4b096c0dbfedabc6312ddf1d859cfd61477e9c279627ceb69ab91785ecc2ea3
localhost IN SSHFP 3 2 
67e838434d0660427c923ee080f6b2676716bd544054612da6df03f2ab54e9d5
localhost IN SSHFP 4 2 
b7de03f31b349036de5464068771cf8a940da8ace6ec2ad6fa1709a148baffe5

But can be still requested explicitly and displayed, if someone wants it.

$ ./ssh-keygen -O hashalg=sha1 -r localhost
localhost IN SSHFP 1 1 3a4c9decaa9b93186b1378adf9470057f8713ec6
localhost IN SSHFP 3 1 8fc2e422305df6da80038e94bd9c76da7877debd
localhost IN SSHFP 4 1 d46401e7669ddda2b1e4a497afa5e694ee9407dd

Would this simple change be mergable? Is there anything else to do it?

This is my first patch sent to this list.

Thank you in advance!

Petr

1. https://bugzilla.mindrot.org/show_bug.cgi?id=3753

-- 
Petr Menšík
Senior Software Engieer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Stop-printing-SHA1-digest-in-SSHFP-output.patch
Type: text/x-patch
Size: 1231 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250919/b5d21216/attachment-0001.bin>

More information about the openssh-unix-dev mailing list