[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #23 from Damien Miller --- openssh-6.8 is released -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #22 from Damien Miller --- Patch with (Petr's suggested usage() fix) applied. This will be in OpenSSH 6.8 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 --- Comment #21 from Petr Lautrbach --- It could be probably useful to add -E option to ssh-keygen usage message too: --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -2196,7 +2196,7 @@ usage(void) " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" " ssh-keygen -y [-f input_keyfile]\n" " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" - " ssh-keygen -l [-f input_keyfile]\n" + " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" " ssh-keygen -B [-f input_keyfile]\n"); #ifdef ENABLE_PKCS11 fprintf(stderr, So far it seems to work for me. Thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Attachment #2007|0 |1 is obsolete|| Attachment #2429|0 |1 is obsolete|| Assignee|unassigned-b...@mindrot.org |d...@mindrot.org Status|NEW |ASSIGNED --- Comment #20 from Damien Miller --- Created attachment 2518 --> https://bugzilla.mindrot.org/attachment.cgi?id=2518&action=edit FingerprintHash option This adds a FingerprintHash option to sshd and ssh, and a -E flag to ssh-add, ssh-agent and ssh-keygen. Fingerprints are now prefixed with the hash algorithm used and non-MD5 hashes use base64 encoding rather than hex. The default fingerprint algorithm is SHA256. Examples: > ssh-keygen -vlf /etc/ssh/ssh_host_rsa_key.pub > 2048 SHA256:rLKEbjpoN2+kuMQB7EiPqaeHut65ZfSe/z1EaWtKEmk > /etc/ssh/ssh_host_rsa_key.pub (RSA) > +---[RSA 2048]+ > | | > |.| > |.o. . | > |= +. E + | > |.= . . S . o . | > |o .. . . + | > |o++ =o.. o +| > |=*+=++. . ... | > |OO++*. o .. | > +[SHA256]-+ > > ssh-keygen -lE md5 -f /etc/ssh/ssh_host_rsa_key.pub > 2048 MD5:3e:f9:51:d3:29:10:e7:a2:40:6f:2c:d2:7a:4c:bc:b2 > /etc/ssh/ssh_host_rsa_key.pub (RSA) BTW, I chose "FingerprintHash" rather than "FingerprintType" because we already have different types of fingerprints: hex, bubblebabble and randomart. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks|2226| --- Comment #19 from Damien Miller --- These bugs are no longer targeted at the imminent 6.7 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks||2266 --- Comment #18 from Damien Miller --- Retarget incomplete bugs to 6.8 release. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 --- Comment #17 from Petr Lautrbach --- (In reply to Petr Lautrbach from comment #15) > Similarly for ssh-keygen, ssh-agent and ssh-add but using command > line option. In case of ssh-keygen, it'll be quite hard to find > unused letter. So there are only three letters unused in all 3 tools: E U Y -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 --- Comment #16 from Petr Lautrbach --- Created attachment 2429 --> https://bugzilla.mindrot.org/attachment.cgi?id=2429&action=edit add FingerprintType flag to ssh and sshd which is used to specify used fingerprint for keys ssh_config.5 and sshd_config.5: FingerprintType Specifies the cryptographic hash function to use for keys fingeprints. The supported hashes are: “md5”, “sha1” and “sha256”. The default is “md5” -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Petr Lautrbach changed: What|Removed |Added CC||plaut...@redhat.com --- Comment #15 from Petr Lautrbach --- The original proposal used SSH_FINGERPRINT_TYPE environmental variable for configuration finger type. I'd rather use ssh and sshd option for that. FingerprintType Specifies the cryptographic hash function to use for keys fingeprints. The supported hashes are: “md5”, “sha1” and “sha256”. The default is “md5” $ ssh -o FingerprintType=sha256 -p localhost The authenticity of host '[localhost]: ([127.0.0.1]:)' can't be established. ECDSA key fingerprint is [sha256]5b:bc:6c:0a:b2:8d:84:eb:2a:6b:14:92:94:1c:85:b3:82:98:ba:b0:55:fd:2a:61:52:8c:b0:79:49:4b:e7:73. Are you sure you want to continue connecting (yes/no) or # sshd -o FingerPrintType=sha256 -o Port= -f /etc/ssh/sshd_config -D -dd ... debug1: matching key found: file /home/user/.ssh/authorized_keys, line 1 RSA [sha256]5f:ac:7f:dd:ce:19:46:c4:4d:b5:55:0b:a0:1a:46:49:93:09:31:4d:35:b7:e0:c0:85:d4:69:ec:c9:65:5c:c8 ... debug1: matching key found: file /home/user/.ssh/authorized_keys, line 1 RSA [sha256]5f:ac:7f:dd:ce:19:46:c4:4d:b5:55:0b:a0:1a:46:49:93:09:31:4d:35:b7:e0:c0:85:d4:69:ec:c9:65:5c:c8 debug1: restore_uid: 0/0 debug1: ssh_rsa_verify: signature correct Accepted publickey for user from 127.0.0.1 port 50738 ssh2: RSA [sha256]5f:ac:7f:dd:ce:19:46:c4:4d:b5:55:0b:a0:1a:46:49:93:09:31:4d:35:b7:e0:c0:85:d4:69:ec:c9:65:5c:c8 Similarly for ssh-keygen, ssh-agent and ssh-add but using command line option. In case of ssh-keygen, it'll be quite hard to find unused letter. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks||2226 --- Comment #13 from Damien Miller --- Retarget to 6.7 release, since 6.6 was mostly bugfixing. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks|2188| --- Comment #14 from Damien Miller --- Remove from 6.6 tracking bug -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks||2188 --- Comment #11 from Damien Miller --- Retarget incomplete bugs / feature requests to 6.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks|2130| --- Comment #12 from Damien Miller --- Retarget incomplete bugs / feature requests to 6.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org Summary|proposal how to change |Support better hash |fingerprints to come fips |algorithms for key |compatible |fingerprints (FIPS compat) Alias||fingerprint-alg -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1872] Support better hash algorithms for key fingerprints (FIPS compat)
https://bugzilla.mindrot.org/show_bug.cgi?id=1872 Damien Miller changed: What|Removed |Added Blocks||2165 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs