bugzilla-daemon at mindrot.org
2015-Aug-05 14:26 UTC
[Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Bug ID: 2439 Summary: New sha256-base64 SSH Fingerprints in openssh-6.8 Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Based on our Fedora bug [1] I started investigation what is up to with the new Fingerprint hashes in openssh-6.8. I found one inconsistency and a usability problem. 1) First of all manual pages mention that:> Valid options are: ?md5? and ?sha256?.but both config parser and all tools accepts ALL digests defined in "digest-{openssl,glibc}.c" in array digests[], which contains much more of them and which do not have any support and can lead to misunderstanding. I propose to strip the list according to documentation. But it collides a bit with the other proposal: 2) As I stated in previously mentioned bugzilla, it would be great to have the way to show more Fingerprint types, since the most of the servers still provide only the old fingerprint (and for some years probably will). Also it is not preferable to stuck with old md5 as default. You can admit, that users can always do $ ssh server -oFingerprintHash=md5 but it is probably too much for users if they really want to verify fingerpring provided through other channel. My proposal is to add ability to provide a list of digest that will be printed (not only one) and as a transition default use both available: "sha256,md5". I don't have a patch yet, but if there would be some idea how can we make the transition more smooth, feel free to comment. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1249626 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-07 08:27 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- Created attachment 2681 --> https://bugzilla.mindrot.org/attachment.cgi?id=2681&action=edit Allow more fingerprint algorithms on client side Adding patch for client side, which introduces new default "sha256 md5". For internal operations and logging, only the first one is used, but for interaction with user (adding new host), both fingerprints are printed.>From my point of view, there is no need to do the same on the serverside, since there is no interaction with user. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-04 03:20 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2451 CC| |djm at mindrot.org Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:44 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #2 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-7.3 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:45 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2543 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2543 [Bug 2543] Tracking bug for OpenSSH 7.3 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-26 03:47 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2451 | --- Comment #3 from Damien Miller <djm at mindrot.org> --- Retarget to openssh-7.3 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:10 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #4 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:14 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2594 --- Comment #5 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2594 [Bug 2594] Tracking bug for OpenSSH 7.4 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:15 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #6 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:17 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #7 from Damien Miller <djm at mindrot.org> --- retarget unfinished bugs to next release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Jul-22 04:19 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2543 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2543 [Bug 2543] Tracking bug for OpenSSH 7.3 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:31 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2647 --- Comment #8 from Damien Miller <djm at mindrot.org> --- OpenSSH 7.4 release is closing; punt the bugs to 7.5 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Dec-16 03:33 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2594 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2594 [Bug 2594] Tracking bug for OpenSSH 7.4 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:43 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2698 --- Comment #9 from Damien Miller <djm at mindrot.org> --- Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back. To calibrate expectations, there's little chance all of these are going to make 7.6. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2698 [Bug 2698] Tracking bug for OpenSSH 7.6 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:44 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #10 from Damien Miller <djm at mindrot.org> --- remove 7.5 target -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Jun-30 03:45 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2647 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:29 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2782 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-22 03:34 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2698 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2698 [Bug 2698] Tracking bug for OpenSSH 7.6 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:09 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2852 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:12 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2782 | --- Comment #11 from Damien Miller <djm at mindrot.org> --- Move to OpenSSH 7.8 tracking bug Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:37 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2893 --- Comment #12 from Damien Miller <djm at mindrot.org> --- Retarget remaining bugs planned for 7.8 release to 7.9 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2893 [Bug 2893] Tracking bug for 7.9 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:38 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #13 from Damien Miller <djm at mindrot.org> --- Retarget remaining bugs planned for 7.8 release to 7.9 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:39 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2852 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:13 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2915 --- Comment #14 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:14 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 --- Comment #15 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:15 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2893 | --- Comment #16 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2893 [Bug 2893] Tracking bug for 7.9 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-22 03:21 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #17 from Damien Miller <djm at mindrot.org> --- I don't think I want to move forward with this change - the sha256 signatures are a lot more ubiquitous and accepted than they were in 2016 and I want to hasten the day when OpenSSH and its dependencies can compile without any MD5 support at all. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:58 UTC
[Bug 2439] New sha256-base64 SSH Fingerprints in openssh-6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #18 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Maybe Matching Threads
- [Bug 2158] New: Race condition in receiving SIGTERM
- [Bug 2501] New: VerifyHostKeyDNS & StrictHostKeyChecking
- [Bug 2400] New: StrictHostKeyChecking=no behaviour on HOST_CHANGED is excessively insecure
- [Bug 2440] New: X11 connection will fail if user's home directory is read-only
- [Bug 2576] New: ssh-agent enters busy loop when running out of fds