[PATCH] Stop generating SSHFP records with SHA1 digest
Petr Menšík
pemensik at redhat.com
Sat Sep 20 05:12:06 AEST 2025
Hello!
I reported bug #3753 [1], but it had not made any progress so far.
I found few minutes to look into openssh-10.0p1, and found the change is
rather simple. Because ssh-keygen -l does not print SHA1 for a good
reason anymore, I think it should stop generating also SSHFP records
with SHA1 digests. These can be signed by DNSSEC and then avoid blind
leap of faith when first connecting to a new host.
It will make it possible to request sha1 explcitly, but by default it
would print only SSHFP algorithm 2 records.
it would make just half of records when ssh-keygen -r localhost command
is used.
$ ssh-keygen -r localhost
localhost IN SSHFP 1 1 3a4c9decaa9b93186b1378adf9470057f8713ec6
localhost IN SSHFP 1 2
d4b096c0dbfedabc6312ddf1d859cfd61477e9c279627ceb69ab91785ecc2ea3
localhost IN SSHFP 3 1 8fc2e422305df6da80038e94bd9c76da7877debd
localhost IN SSHFP 3 2
67e838434d0660427c923ee080f6b2676716bd544054612da6df03f2ab54e9d5
localhost IN SSHFP 4 1 d46401e7669ddda2b1e4a497afa5e694ee9407dd
localhost IN SSHFP 4 2
b7de03f31b349036de5464068771cf8a940da8ace6ec2ad6fa1709a148baffe5
will become just:
$ ./ssh-keygen -r localhost
localhost IN SSHFP 1 2
d4b096c0dbfedabc6312ddf1d859cfd61477e9c279627ceb69ab91785ecc2ea3
localhost IN SSHFP 3 2
67e838434d0660427c923ee080f6b2676716bd544054612da6df03f2ab54e9d5
localhost IN SSHFP 4 2
b7de03f31b349036de5464068771cf8a940da8ace6ec2ad6fa1709a148baffe5
But can be still requested explicitly and displayed, if someone wants it.
$ ./ssh-keygen -O hashalg=sha1 -r localhost
localhost IN SSHFP 1 1 3a4c9decaa9b93186b1378adf9470057f8713ec6
localhost IN SSHFP 3 1 8fc2e422305df6da80038e94bd9c76da7877debd
localhost IN SSHFP 4 1 d46401e7669ddda2b1e4a497afa5e694ee9407dd
Would this simple change be mergable? Is there anything else to do it?
This is my first patch sent to this list.
Thank you in advance!
Petr
1. https://bugzilla.mindrot.org/show_bug.cgi?id=3753
--
Petr Menšík
Senior Software Engieer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Stop-printing-SHA1-digest-in-SSHFP-output.patch
Type: text/x-patch
Size: 1231 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250919/b5d21216/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list