openssh unix dev - Apr 2010 - choice of fingerprint display upon new host access

When a user encounters a new ssh host, the VisualHostKey option makes
ssh display the visual fingerprint of the host's key.

ssh-keygen also supports BubbleBabble fingerprinting, but i don't see a
way to indicate that ssh should display the bubblebabble fingerprint
upon encountering a new host key.

It seems like it would be nice to make OpenSSH configurable about its
choice of fingerprinting scheme without adding a new option for every
possible flavor of fingerprinting.  In particular, i'm not proposing
that we include a BubbleBabbleHostKey option to ssh_config.

What do people think of the following approach for ssh_config:

 HostKeyFingerprint is an option which takes a comma-separated set of
fingerprint styles to display to the user upon seeing a new host key.
Supported options are: "hex", "bubblebabble",
"visual"

   The default is: hex

For backward compatibility, -oVisualHostKey=yes implicitly adds
"visual"
to this set if it is not already present.

If people think this is a good idea, i'll open a bugzilla ticket about
it.  I'm also interested to hear if people have any objections to the idea.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100419/8a4febdf/attachment.bin>

On Mon, 19 Apr 2010, Daniel Kahn Gillmor wrote:
> When a user encounters a new ssh host, the VisualHostKey option makes
> ssh display the visual fingerprint of the host's key.
> 
> ssh-keygen also supports BubbleBabble fingerprinting, but i don't see a
> way to indicate that ssh should display the bubblebabble fingerprint
> upon encountering a new host key.
> 
> It seems like it would be nice to make OpenSSH configurable about its
> choice of fingerprinting scheme without adding a new option for every
> possible flavor of fingerprinting.  In particular, i'm not proposing
> that we include a BubbleBabbleHostKey option to ssh_config.
> 
> What do people think of the following approach for ssh_config:
> 
>  HostKeyFingerprint is an option which takes a comma-separated set of
> fingerprint styles to display to the user upon seeing a new host key.
> Supported options are: "hex", "bubblebabble",
"visual"
> 
>    The default is: hex
> 
> For backward compatibility, -oVisualHostKey=yes implicitly adds
"visual"
> to this set if it is not already present.
> 
> If people think this is a good idea, i'll open a bugzilla ticket about
> it.  I'm also interested to hear if people have any objections to the
idea.
Amusingly a brand new bug entry requests the option to display bubblebabble
fingerprints. Fell free to repurpose it to your proposal (which I think is
fine). https://bugzilla.mindrot.org/show_bug.cgi?id=1759
-d