openssh bugs - Jan 2015 - [Bug 2332] New: Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

            Bug ID: 2332
           Summary: Show more secure fingerprints than MD5 (e.g. SHA256)
                    in ssh and ssh-keygen
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kolAflash at kolahilft.de

When connecting to a server the first time, the only information you
get about the servers public key fingerprint in MD5.

Since all I know, MD5 is pretty much broken for security purposes.

Guess it would be wise, to additionally (not exclusively) display a
more secure fingerprint. Probably SHA256 or SHA512 would be great.

By command-line option ssh could also display the full key. (which
isn't that long, especially for ed25519)

ssh-keygen -l -f key-file.pub
Also needs to be able to show a better hash function.

--

This is the only way I currently know, to calculate a SHA256
fingerprint from shell.

openssl pkcs8 -in /etc/ssh/ssh_host_rsa_key.pub -nocrypt -topk8
-outform DER | openssl sha256 -c

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Petr Lautrbach <plautrba at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |plautrba at redhat.com

--- Comment #1 from Petr Lautrbach <plautrba at redhat.com> ---
It seems to be already changed in the development tree, see 
https://anongit.mindrot.org/openssh.git/commit/?id=56d1c83cdd1ac76f1c6bd41e01e80dad834f3994

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

--- Comment #2 from kolAflash at kolahilft.de ---
Just tested the current version from Git.

SHA256 is working great!

Gives me the SHA256 or MD5 fingerprint:
ssh-keygen -lv -E SHA256 -f id_rsa.pub
ssh-keygen -lv -E MD5 -f id_rsa.pub


But:

SSH client also needs an option to show MD5 (like ssh-keygen).

Why not also offer SHA512 for really paranoid people?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

--- Comment #3 from Petr Lautrbach <plautrba at redhat.com> ---
You can put "FingerprintHash=md5" into your ssh config files
(/etc/ssh/ssh_config, ~/.ssh/config) or use '-o FingerprintHash=md5'
directly on the command line.

$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be
established.
ECDSA key fingerprint is
SHA256:WvwqGxIhzB8L7L3/V9v9cI4IZ+IxTtAGo2FXFRfpPSQ.


$ ssh -o FingerprintHash=md5 localhost
The authenticity of host 'localhost (127.0.0.1)' can't be
established.
ECDSA key fingerprint is
MD5:da:24:43:0b:2e:c1:3f:a1:84:13:92:01:52:b4:84:ff.
...


$ ssh -o FingerprintHash=sha512 localhost
The authenticity of host 'localhost (127.0.0.1)' can't be
established.
ECDSA key fingerprint is
SHA512:lbvPnoYkOXD0yOv7C1iLFjrlPz0sg5ImLzT7ffZTte4iJ7MmZtHjBTRm9EimMAYKNGgB5XEHDs8gnCPnJCf5dQ.


But there seems to be a bug that you can't overwrite FingerprintHash
option on the command line when it's set in a config file.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
(In reply to Petr Lautrbach from comment #3)
> But there seems to be a bug that you can't overwrite FingerprintHash
> option on the command line when it's set in a config file.
Can you give me a recipe to reproduce?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

--- Comment #5 from Petr Lautrbach <plautrba at redhat.com> ---
~/.ssh/config:
host *
    FingerprintHash=md5

$ ssh -o FingerprintHash=sha512 localhost
The authenticity of host 'localhost (127.0.0.1)' can't be
established.
ECDSA key fingerprint is
MD5:da:24:43:0b:2e:c1:3f:a1:84:13:92:01:52:b4:84:ff.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

--- Comment #6 from Petr Lautrbach <plautrba at redhat.com> ---
works for me with this patch:

--- a/readconf.c
+++ b/readconf.c
@@ -1464,6 +1464,7 @@ parse_int:
                goto parse_string;

        case oFingerprintHash:
+               intptr = &options->fingerprint_hash;
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
@@ -1471,8 +1472,8 @@ parse_int:
                if ((value = ssh_digest_alg_by_name(arg)) == -1)
                        fatal("%.200s line %d: Invalid hash algorithm
\"%s\".",
                            filename, linenum, arg);
-               if (*activep)
-                       options->fingerprint_hash = value;
+               if (*activep && *intptr == -1)
+                       *intptr = value;
                break;

        case oDeprecated:

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
applied - thanks. I don't think there is anything left unfinished in
this bug then :)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Max Polk <maxpolk at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED
                 CC|                            |maxpolk at gmail.com

--- Comment #8 from Max Polk <maxpolk at gmail.com> ---
Request for two small man page documentation changes.

The 6.8 release notes state, "The default changes from MD5 to SHA256
and
format from hex to base64" for host fingerprint display in ssh, and on
the server in ssh-keygen when looking at the server key in order to
compare.

I discovered that when a 6.8 ssh client connects to a 6.7 or older
server, the server side ssh-keygen doesn't have the new "-E"
option,
and still shows you only the md5-based, hex-formatted, key.  The
suggested command in the ssh man page doesn't help:

  $ ssh-keygen -l -f /etc/ssh_host_rsa_key

To verify, the option on the client side is to downgrade ssh to use the
md5 fingerprint:

  $ ssh -o FingerprintHash=md5 HOST

To verify, the option on the server side is to manually calculate the
new style fingerprint:

  $ cat /etc/ssh/ssh_host_ecdsa_key.pub | cut -d ' ' -f 2 | base64 -d |
openssl sha256 -binary | base64

Can the ssh documentation be updated, under the "VERIFYING HOST KEYS"
manual section, to state how to downgrade to md5 when connecting to
older hosts?  Or if not, could the option "FingerprintHash" at least
be
mentioned there?  That special option is mentioned only once later in
the long listing of options under the -o stanza.

I ask this, because getting verification to work with the new ssh
client was very difficult.  I thought I lost the capability and ended
up coming up with that manual server-side way to calculate the new
style finterprint:

  SERVER public key file: base64(binarykey)
  SSH command: base64(sha256(binarykey))
  SSH-KEYGEN command: hex(md5(binarykey))      # older server

It is a huge usability problem to seemingly lose this verification
going between 6.8 client and 6.7 and older server.  It was not lost,
just difficult to discover, so I'm reopening this for two documentation
updates to make the user experience a lot easier when they face the
same problem I did.

Also, can we update the ssh_config documentation to note that not only
is the hash being switched, but also the format (base64 vs hex)? 
Client downgrading from sha256 to md5 using FingerprintHash switches
from sha256 to md5 (as documented), but it also switches the formatting
from base64 to hex (not documented).  Example:

  SHA256:mIfDbTHZHp8n8HT/R04oKL2lzXwje8A07P6WTjEp20A
  MD5:bc:b1:82:45:1c:94:ae:cf:bd:b3:8f:63:75:0c:2f:f3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
I added a pointer to ssh-keygen -E, but I don't think it's desirable
for the manual page to cover ever possible contingency - if you have
access to the key to hash, then it's not much more work just to copy it
over.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

--- Comment #10 from kolAflash at kolahilft.de ---
Guess the -E option should be documented in the manual page.


Szenario:
You run a server, to which people from your company/team should connect
to. The other people use different SSH versions (some showing the old
MD5, some showing the new SHA256 fingerprint). You want to give the
other people the fingerprint for verification when they connect, so you
need to know how to generate the MD5 and the SHA256 fingerprint and the
-E option will be pretty important for you.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2332

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #11 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.