bugzilla-daemon at mindrot.org
2024-Nov-19 13:59 UTC
[Bug 3753] New: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Bug ID: 3753
Summary: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by
default
Product: Portable OpenSSH
Version: 9.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: pemensik at redhat.com
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub generates SSHFP
records for inclusion in DNS. But that includes SHA1 digest, which
should not be used anymore for verification of key status.
Minor issue in manual page is that it does not mention -O is also
supported in -r mode. In top SYNOPSIS section, -r hostname does not
contain [-O option], like -M generate below it. But it accepts options.
I can get desired behaviour by:
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub -O hashalg=sha256
But I think -O hashalg=sha1 should be mandatory to print SHA1 digests.
It should be omitted by default.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-19 14:02 UTC
[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Petr Men??k <pemensik at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |https://issues.redhat.com/b
| |rowse/RHEL-67883
--- Comment #1 from Petr Men??k <pemensik at redhat.com> ---
Reported also on RHEL: https://issues.redhat.com/browse/RHEL-67883
Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2326717
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-19 14:12 UTC
[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753 --- Comment #2 from Petr Men??k <pemensik at redhat.com> --- I wanted to make clone for ssh-keyscan -D localhost, but cannot find clone button we have on redhat bugzilla. I will leave it for duplication to any assignee handling it. I think reporting it single time is enough for now. Tell me if I should create a duplicate myself. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-19 14:13 UTC
[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Petr Men??k <pemensik at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |minor
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-05 08:11 UTC
[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |djm at mindrot.org
Resolution|--- |FIXED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
it was, yesterday
https://github.com/openssh/openssh-portable/commit/6993d9f0959534b0b7d52e17b95e9e79fb0b3d0a
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-05 10:34 UTC
[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753 --- Comment #4 from Petr Men??k <pemensik at redhat.com> --- That link does contain only \r addition. Is that really possible this actually fixes SHA1 digest printed in both ssh-keyscan and ssh-keygen? It seems unlikely to me. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-05 14:28 UTC
[Bug 3753] ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by default
https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
oops, wrong bug
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Apparently Analagous Threads
- SSHFP support for ssh-keyscan?
- [Bug 3494] New: ssh-keygen -r cannot disable SHA-1 digest
- [Bug 1972] ssh-keygen fails to generate SSHFP for ECDSA but exits with 0 code
- [Bug 1972] ssh-keygen fails to generate SSHFP for ECDSA but exits with 0 code
- ssh-keygen -r should support SSHFP records for ECDSA (or at least return non-zero error code on failure)