[
https://issues.apache.org/jira/browse/SSHD-586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005885#comment-15005885
]
Goldstein Lyor commented on SSHD-586:
-------------------------------------
What I recommend is the following:
* Add a *new* class _OpenSSHKeyUtils_ that has a _getFingerPrint(Digest d,
PublicKey key, boolean appendDigestName)_ method (as well as default one -
similar to KeyUtils)
* In this method you can use the available
_PublicKeyEntry.appendPublicKeyEntry(...)_ method - this will give you the
BASE64 encoded data as a _String_. I am not sure that the input for the hash is
the _String_ or its bytes, or the data *before* the BASE64 encoding - up to you
to figure out which.
* If you need the pure *bytes* rather than the base64 encoding, then look at
how _PublicKeyEntry.appendPublicKeyEntry(...)_ generates the bytes before
encoding them.
* Hash and format the result according to the _appendDigestName_ parameter
* Add unit tests that calculate the digest for "known" keys (ones that you
generated with _ssh-keygen_) and makes sure the result is as expected
> openssh compliant public key fingerprint
> ----------------------------------------
>
> Key: SSHD-586
> URL: https://issues.apache.org/jira/browse/SSHD-586
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 1.1.0
> Reporter: Alon Bar-Lev
> Priority: Minor
>
> Hello,
> The apache-sshd always assumes fingerprint as hex string ':' separated.
> While openssh public key fingerprint differs, here are some examples:
> $ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub
> 2048 MD5:1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f alonbl@localhost
> (RSA)
> $ ssh-keygen -l -E sha1 -f ~/.ssh/id_rsa.pub
> 2048 SHA1:aKxMeaFsKNkuHurHCTZ1scdJ7Pc alonbl@localhost (RSA)
> $ ssh-keygen -l -E sha512 -f ~/.ssh/id_rsa.pub
> 2048
> SHA512:U4X0Iw3sF+2Hgc0Y78R/6uUw/goG9X2SPFEmsG4yW/EkDFNJtzRMX4/jUawmQMSWSaQdnv3yOO4AItNgLgePdw
> alonbl@localhost (RSA)
> $ ssh root@10.35.0.71
> The authenticity of host '10.35.0.71 (10.35.0.71)' can't be established.
> ECDSA key fingerprint is SHA256:G2GAthRObSnT13jBb7bKl2P0Tf8ucuEqXaYJOdfqHUA.
> Are you sure you want to continue connecting (yes/no)?
> Old format without a prefix: 1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f
> is considered md5.
> New format with digest: prefix for md5 keeps the hex string.
> Any other digest will have base64 encoded digest value.
> It will be nice if KeyUtils.getFingerPrint(Digest d, PublicKey key) will
> comply with the above, so fingerprint can be presented to user and user will
> be able to compare it visually to expected value.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
