[ https://issues.apache.org/jira/browse/SSHD-586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005885#comment-15005885 ]
Goldstein Lyor commented on SSHD-586: ------------------------------------- What I recommend is the following: * Add a *new* class _OpenSSHKeyUtils_ that has a _getFingerPrint(Digest d, PublicKey key, boolean appendDigestName)_ method (as well as default one - similar to KeyUtils) * In this method you can use the available _PublicKeyEntry.appendPublicKeyEntry(...)_ method - this will give you the BASE64 encoded data as a _String_. I am not sure that the input for the hash is the _String_ or its bytes, or the data *before* the BASE64 encoding - up to you to figure out which. * If you need the pure *bytes* rather than the base64 encoding, then look at how _PublicKeyEntry.appendPublicKeyEntry(...)_ generates the bytes before encoding them. * Hash and format the result according to the _appendDigestName_ parameter * Add unit tests that calculate the digest for "known" keys (ones that you generated with _ssh-keygen_) and makes sure the result is as expected > openssh compliant public key fingerprint > ---------------------------------------- > > Key: SSHD-586 > URL: https://issues.apache.org/jira/browse/SSHD-586 > Project: MINA SSHD > Issue Type: Improvement > Affects Versions: 1.1.0 > Reporter: Alon Bar-Lev > Priority: Minor > > Hello, > The apache-sshd always assumes fingerprint as hex string ':' separated. > While openssh public key fingerprint differs, here are some examples: > $ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub > 2048 MD5:1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f alonbl@localhost > (RSA) > $ ssh-keygen -l -E sha1 -f ~/.ssh/id_rsa.pub > 2048 SHA1:aKxMeaFsKNkuHurHCTZ1scdJ7Pc alonbl@localhost (RSA) > $ ssh-keygen -l -E sha512 -f ~/.ssh/id_rsa.pub > 2048 > SHA512:U4X0Iw3sF+2Hgc0Y78R/6uUw/goG9X2SPFEmsG4yW/EkDFNJtzRMX4/jUawmQMSWSaQdnv3yOO4AItNgLgePdw > alonbl@localhost (RSA) > $ ssh root@10.35.0.71 > The authenticity of host '10.35.0.71 (10.35.0.71)' can't be established. > ECDSA key fingerprint is SHA256:G2GAthRObSnT13jBb7bKl2P0Tf8ucuEqXaYJOdfqHUA. > Are you sure you want to continue connecting (yes/no)? > Old format without a prefix: 1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f > is considered md5. > New format with digest: prefix for md5 keeps the hex string. > Any other digest will have base64 encoded digest value. > It will be nice if KeyUtils.getFingerPrint(Digest d, PublicKey key) will > comply with the above, so fingerprint can be presented to user and user will > be able to compare it visually to expected value. -- This message was sent by Atlassian JIRA (v6.3.4#6332)