[jira] [Commented] (SSHD-586) openssh compliant public key fingerprint

Sun, 15 Nov 2015 05:01:19 -0800 

    [ 
https://issues.apache.org/jira/browse/SSHD-586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005877#comment-15005877
 ] 

Goldstein Lyor commented on SSHD-586:
-------------------------------------

According to [RFC4716 - Key 
fingerprints|https://tools.ietf.org/html/rfc4716#page-6]:
{quote}
The fingerprint of a public key consists of the output of the MD5 
message-digest algorithm. For example: 
"c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87"
{quote}

* As far as generating a non-MD5 fingerprint, the _KeyUtils_ class provides 
such a method - the one you indicated - which does not add the name of the 
digest.
* As far as formatting - the most I can do is suggest adding a system property 
that controls the default used fingerprint digest as well as its format. If you 
wish to undertake this task, please submit a patch.

> openssh compliant public key fingerprint
> ----------------------------------------
>
>                 Key: SSHD-586
>                 URL: https://issues.apache.org/jira/browse/SSHD-586
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 1.1.0
>            Reporter: Alon Bar-Lev
>
> Hello,
> The apache-sshd always assumes fingerprint as hex string ':' separated.
> While openssh public key fingerprint differs, here are some examples:
> $ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub 
> 2048 MD5:1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f alonbl@localhost 
> (RSA)
> $ ssh-keygen -l -E sha1 -f ~/.ssh/id_rsa.pub 
> 2048 SHA1:aKxMeaFsKNkuHurHCTZ1scdJ7Pc alonbl@localhost (RSA)
> $ ssh-keygen -l -E sha512 -f ~/.ssh/id_rsa.pub 
> 2048 
> SHA512:U4X0Iw3sF+2Hgc0Y78R/6uUw/goG9X2SPFEmsG4yW/EkDFNJtzRMX4/jUawmQMSWSaQdnv3yOO4AItNgLgePdw
>  alonbl@localhost (RSA)
> $ ssh [email protected]
> The authenticity of host '10.35.0.71 (10.35.0.71)' can't be established.
> ECDSA key fingerprint is SHA256:G2GAthRObSnT13jBb7bKl2P0Tf8ucuEqXaYJOdfqHUA.
> Are you sure you want to continue connecting (yes/no)? 
> Old format without a prefix: 1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f 
> is considered md5.
> New format with digest: prefix for md5 keeps the hex string.
> Any other digest will have base64 encoded digest value.
> It will be nice if KeyUtils.getFingerPrint(Digest d, PublicKey key) will 
> comply with the above, so fingerprint can be presented to user and user will 
> be able to compare it visually to expected value.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to