bugzilla-daemon at mindrot.org
2015-Aug-05 14:26 UTC
[Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Bug ID: 2439
Summary: New sha256-base64 SSH Fingerprints in openssh-6.8
Product: Portable OpenSSH
Version: 6.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Based on our Fedora bug [1] I started investigation what is up to with
the new Fingerprint hashes in openssh-6.8. I found one inconsistency
and a usability problem.
1) First of all manual pages mention that:
> Valid options are: ?md5? and ?sha256?.
but both config parser and all tools accepts ALL digests defined in
"digest-{openssl,glibc}.c" in array digests[], which contains much
more
of them and which do not have any support and can lead to
misunderstanding. I propose to strip the list according to
documentation. But it collides a bit with the other proposal:
2) As I stated in previously mentioned bugzilla, it would be great to
have the way to show more Fingerprint types, since the most of the
servers still provide only the old fingerprint (and for some years
probably will). Also it is not preferable to stuck with old md5 as
default. You can admit, that users can always do
$ ssh server -oFingerprintHash=md5
but it is probably too much for users if they really want to verify
fingerpring provided through other channel.
My proposal is to add ability to provide a list of digest that will be
printed (not only one) and as a transition default use both available:
"sha256,md5".
I don't have a patch yet, but if there would be some idea how can we
make the transition more smooth, feel free to comment.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1249626
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-07 08:27 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- Created attachment 2681 --> https://bugzilla.mindrot.org/attachment.cgi?id=2681&action=edit Allow more fingerprint algorithms on client side Adding patch for client side, which introduces new default "sha256 md5". For internal operations and logging, only the first one is used, but for interaction with user (adding new host), both fingerprints are printed.>From my point of view, there is no need to do the same on the serverside, since there is no interaction with user. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 03:20 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2451
CC| |djm at mindrot.org
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:44 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #2 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-7.3 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:45 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2543
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:47 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2451 |
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Retarget to openssh-7.3
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:10 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #4 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:14 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2594
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
retarget unfinished bugs to next release
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:15 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #6 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:17 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #7 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:19 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2543 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:31 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2647
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:33 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2594 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:43 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2698
--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while
back.
To calibrate expectations, there's little chance all of these are going
to make 7.6.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:44 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #10 from Damien Miller <djm at mindrot.org> --- remove 7.5 target -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:45 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2647 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:29 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2782
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:34 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2698 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:09 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2852
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:12 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2782 |
--- Comment #11 from Damien Miller <djm at mindrot.org> ---
Move to OpenSSH 7.8 tracking bug
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:37 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2893
--- Comment #12 from Damien Miller <djm at mindrot.org> ---
Retarget remaining bugs planned for 7.8 release to 7.9
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2893
[Bug 2893] Tracking bug for 7.9 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:38 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #13 from Damien Miller <djm at mindrot.org> --- Retarget remaining bugs planned for 7.8 release to 7.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:39 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2852 |
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:13 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2915
--- Comment #14 from Damien Miller <djm at mindrot.org> ---
Retarget unfinished bugs to OpenSSH 8.0
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:14 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #15 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:15 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2893 |
--- Comment #16 from Damien Miller <djm at mindrot.org> ---
Retarget unfinished bugs to OpenSSH 8.0
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2893
[Bug 2893] Tracking bug for 7.9 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-22 03:21 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #17 from Damien Miller <djm at mindrot.org> ---
I don't think I want to move forward with this change - the sha256
signatures are a lot more ubiquitous and accepted than they were in
2016 and I want to hasten the day when OpenSSH and its dependencies can
compile without any MD5 support at all.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:58 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #18 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Maybe Matching Threads
- [Bug 2158] New: Race condition in receiving SIGTERM
- [Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking
- [Bug 2400] New: StrictHostKeyChecking=no behaviour on HOST_CHANGED is excessively insecure
- [Bug 2440] New: X11 connection will fail if user's home directory is read-only
- [Bug 2576] New: ssh-agent enters busy loop when running out of fds