search for: fingerprinthash

https://bugzilla.mindrot.org/show_bug.cgi?id=2332 Bug ID: 2332 Summary: Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5

...| Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org Status|NEW |ASSIGNED --- Comment #20 from Damien Miller <djm at mindrot.org> --- Created attachment 2518 --> https://bugzilla.mindrot.org/attachment.cgi?id=2518&action=edit FingerprintHash option This adds a FingerprintHash option to sshd and ssh, and a -E flag to ssh-add, ssh-agent and ssh-keygen. Fingerprints are now prefixed with the hash algorithm used and non-MD5 hashes use base64 encoding rather than hex. The default fingerprint algorithm is SHA256. Examples: > ssh-keygen...

...m.de> Signed-off-by: Christian Hesse <mail at eworm.de> --- ssh_config.5 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index 5b0975f..28f7714 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -649,9 +649,13 @@ The default is .It Cm FingerprintHash Specifies the hash algorithm used when displaying key fingerprints. Valid options are: -.Dq md5 +.Dq md5 , +.Dq ripemd160 , +.Dq sha1 , +.Dq sha256 , +.Dq sha384 and -.Dq sha256 . +.Dq sha512 . The default is .Dq sha256 . .It Cm ForwardAgent -- 2.5.0

...ing="SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8" <destination> ...or... ssh -o verifyHostKeyString="16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48" <destination> Additional minutiae: It seems to me that the supplied string can serve as a stand-in for the FingerprintHash argument (though it's not clear to me whether MD5 hash strings are expected to begin with "MD5:") The fingerprint presented to the user represents only one of the key types (the most preferred?) that the server holds. Should using this option require the user to specify the key type...

...o re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format:...

...o re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format:...

...use_dns == -1) options->use_dns = 0; if (options->client_alive_interval == -1) @@ -429,7 +432,7 @@ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, - sAllowStreamLocalForwarding, sFingerprintHash, + sAllowStreamLocalForwarding, sFingerprintHash, sMaxDisplays, sDeprecated, sUnsupported } ServerOpCodes; @@ -572,6 +575,7 @@ { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, {...

https://bugzilla.mindrot.org/show_bug.cgi?id=2081 Bug ID: 2081 Summary: extend the parameters to the AuthorizedKeysCommand Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd

...lt; options->num_host_cert_files; i++) @@ -417,6 +419,7 @@ typedef enum { sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, + sStreamLocalBindRootDirectory, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -558,6 +561,7 @@ static struct { { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, { "streamlocalbindunlink"...