Attachment #2006 for bug #1872





	if (host_status == HOST_OK) {
		if (key_is_cert(key)) {
			fp = key_selected_fingerprint(key->cert->signature_key,
			    SSH_FP_HEX);
			verbose("Accepted certificate ID \"%s\" signed by "
			    "%s CA %s%s from %s@%s", key->cert->key_id,
			    key_type(key->cert->signature_key),
			    key_fingerprint_prefix(), fp,
			    cuser, lookup);
		} else {
			fp = key_selected_fingerprint(key, SSH_FP_HEX);
			verbose("Accepted %s public key %s%s from %s@%s",
			    key_type(key), key_fingerprint_prefix(),
			    fp, cuser, lookup);
		}
		xfree(fp);
	}




				continue;
			if (!key_is_cert_authority)
				continue;
			fp = key_selected_fingerprint(found, SSH_FP_HEX);
			debug("matching CA found: file %s, line %lu, %s %s%s",
			    file, linenum, key_type(found),
			    key_fingerprint_prefix(), fp);
			/*
			 * If the user has specified a list of principals as
			 * a key option, then prefer that list to matching

			found_key = 1;
			debug("matching key found: file %s, line %lu",
			    file, linenum);
			fp = key_selected_fingerprint(found, SSH_FP_HEX);
			verbose("Found matching %s key: %s%s",
			    key_type(found), key_fingerprint_prefix(), fp);
			xfree(fp);
			break;
		}

	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
		return 0;

	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
	    SSH_FP_MD5, SSH_FP_HEX);

	if (key_in_file(key->cert->signature_key,
	    options.trusted_user_ca_keys, 1) != 1) {
		debug2("%s: CA %s%s %s is not listed in %s", __func__,
		    key_type(key->cert->signature_key),
		    key_fingerprint_prefix(), ca_fp,
		    options.trusted_user_ca_keys);
		goto out;
	}

Lines 639-647 auth_key_is_revoked(Key *key) Link Here

(-)openssh-5.8p1/auth.c.fingerprint (-2 / +3 lines)
639	return 1;	639	return 1;
640	case 1:	640	case 1:
641	/* Key revoked */	641	/* Key revoked */
642	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	642	key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
643	error("WARNING: authentication attempt with a revoked "	643	error("WARNING: authentication attempt with a revoked "
644	"%s key %s ", key_type(key), key_fp);	644	"%s key %s%s ", key_type(key),
		645	key_fingerprint_prefix(), key_fp);
645	xfree(key_fp);	646	xfree(key_fp);
646	return 1;	647	return 1;
647	}	648	}

Lines 318-326 auth_rsa(Authctxt authctxt, BIGNUM cli Link Here

(-)openssh-5.8p1/auth-rsa.c.fingerprint (-3 / +3 lines)
318	* options; this will be reset if the options cause the	318	* options; this will be reset if the options cause the
319	* authentication to be rejected.	319	* authentication to be rejected.
320	*/	320	*/
321	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	321	fp = key_selected_fingerprint(key, SSH_FP_HEX);
322	verbose("Found matching %s key: %s",	322	verbose("Found matching %s key: %s%s",
323	key_type(key), fp);	323	key_type(key), key_fingerprint_prefix(), fp);
324	xfree(fp);	324	xfree(fp);
325	key_free(key);	325	key_free(key);
326		326




	return retval;
}

enum fp_type
key_fingerprint_selection(void)
{
	static enum fp_type rv;
	static char rv_defined = 0;
	char *env;

	if (!rv_defined) {
		env = getenv("SSH_FINGERPRINT_TYPE");
		rv = (env && !strcmp (env, "sha")) ?
			SSH_FP_SHA1 : SSH_FP_MD5;
		rv_defined = 1;
	}
	return rv;
}

char *
key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
{
	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
}

char *
key_fingerprint_prefix(void)
{
	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
}

/*
 * Reads a multiple-precision integer in decimal from the buffer, and advances
 * the pointer.  The integer must already be initialized.  This function is

Lines 96-101 int key_equal_public(const Key *, cons Link Here

(-)openssh-5.8p1/key.h.fingerprint (+3 lines)
96	int key_equal(const Key , const Key );	96	int key_equal(const Key , const Key );
97	char key_fingerprint(Key , enum fp_type, enum fp_rep);	97	char key_fingerprint(Key , enum fp_type, enum fp_rep);
98	u_char key_fingerprint_raw(Key , enum fp_type, u_int *);	98	u_char key_fingerprint_raw(Key , enum fp_type, u_int *);
		99	enum fp_type key_fingerprint_selection(void);
		100	char key_selected_fingerprint(Key , enum fp_rep);
		101	char *key_fingerprint_prefix(void);
99	const char key_type(const Key );	102	const char key_type(const Key );
100	const char key_cert_type(const Key );	103	const char key_cert_type(const Key );
101	int key_write(const Key , FILE );	104	int key_write(const Key , FILE );

Lines 280-289 list_identities(AuthenticationConnection Link Here

(-)openssh-5.8p1/ssh-add.c.fingerprint (-4 / +4 lines)
280	key = ssh_get_next_identity(ac, &comment, version)) {	280	key = ssh_get_next_identity(ac, &comment, version)) {
281	had_identities = 1;	281	had_identities = 1;
282	if (do_fp) {	282	if (do_fp) {
283	fp = key_fingerprint(key, SSH_FP_MD5,	283	fp = key_selected_fingerprint(key, SSH_FP_HEX);
284	SSH_FP_HEX);	284	printf("%d %s%s %s (%s)\n",
285	printf("%d %s %s (%s)\n",	285	key_size(key), key_fingerprint_prefix(),
286	key_size(key), fp, comment, key_type(key));	286	fp, comment, key_type(key));
287	xfree(fp);	287	xfree(fp);
288	} else {	288	} else {
289	if (!key_write(key, stdout))	289	if (!key_write(key, stdout))

Lines 199-207 confirm_key(Identity *id) Link Here

(-)openssh-5.8p1/ssh-agent.c.fingerprint (-3 / +3 lines)
199	char *p;	199	char *p;
200	int ret = -1;	200	int ret = -1;
201		201
202	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);	202	p = key_selected_fingerprint(id->key, SSH_FP_HEX);
203	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",	203	if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
204	id->comment, p))	204	id->comment, key_fingerprint_prefix(), p))
205	ret = 0;	205	ret = 0;
206	xfree(p);	206	xfree(p);
207		207




		    key->type, pktype);
		goto done;
	}
	fp = key_selected_fingerprint(key, SSH_FP_HEX);
	debug2("input_userauth_pk_ok: fp %s%s",
	    key_fingerprint_prefix(), fp);
	xfree(fp);

	/*

	int have_sig = 1;
	char *fp;

	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
	    key_fingerprint_prefix(), fp);
	xfree(fp);

	if (key_to_blob(id->key, &blob, &bloblen) == 0) {




				    "key for IP address '%.128s' to the list "
				    "of known hosts.", type, ip);
		} else if (options.visual_host_key) {
			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
			logit("Host key fingerprint is %s%s\n%s\n",
			    key_fingerprint_prefix(), fp, ra);
			xfree(ra);
			xfree(fp);
		}

			else
				snprintf(msg1, sizeof(msg1), ".");
			/* The default */
			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
			    SSH_FP_RANDOMART);
			msg2[0] = '\0';
			if (options.verify_host_key_dns) {
				if (matching_host_key_dns)

			snprintf(msg, sizeof(msg),
			    "The authenticity of host '%.200s (%s)' can't be "
			    "established%s\n"
			    "%s key fingerprint is %s%s.%s%s\n%s"
			    "Are you sure you want to continue connecting "
			    "(yes/no)? ",
			    host, ip, msg1, type,
			    key_fingerprint_prefix(), fp,
			    options.visual_host_key ? "\n" : "",
			    options.visual_host_key ? ra : "",
			    msg2);

	int flags = 0;
	char *fp;

	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
	debug("Server host key: %s %s%s", key_type(host_key),
	    key_fingerprint_prefix(), fp);
	xfree(fp);

	/* XXX certs are not yet supported for DNS */

			continue;
		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
			continue;
		fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
		ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
		logit("WARNING: %s key found for host %s\n"
		    "in %s:%lu\n"
		    "%s key fingerprint %s%s.",
		    key_type(found->key),
		    found->host, found->file, found->line,
		    key_type(found->key),
		    key_fingerprint_prefix(), fp);
		if (options.visual_host_key)
			logit("%s", ra);
		xfree(ra);

{
	char *fp;

	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);

	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");

	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
	error("It is also possible that a host key has just been changed.");
	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
	    key_type(host_key),key_fingerprint_prefix(),  fp);
	error("Please contact your system administrator.");

	xfree(fp);




{
	FILE *f;
	Key *public;
	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
	int i, skip = 0, num = 0, invalid = 1;
	enum fp_rep rep;
	enum fp_type fptype;
	struct stat st;

	fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
	pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;

	if (!have_identity)

	public = key_load_public(identity_file, &comment);
	if (public != NULL) {
		fp = key_fingerprint(public, fptype, rep);
		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
		    key_type(public));
		if (log_level >= SYSLOG_LEVEL_VERBOSE)
			printf("%s\n", ra);

		}
		comment = *cp ? cp : comment;
		fp = key_fingerprint(public, fptype, rep);
		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
		    comment ? comment : "no comment", key_type(public));
		if (log_level >= SYSLOG_LEVEL_VERBOSE)
			printf("%s\n", ra);

	if (print_fingerprint) {
		enum fp_rep rep;
		enum fp_type fptype;
		char *fp, *ra, *pfx;

		fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
		pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
		rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;

		fp = key_fingerprint(public, fptype, rep);
		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
		    key_type(public));
		if (log_level >= SYSLOG_LEVEL_VERBOSE)
			printf("%s\n", ra);

		fatal("%s is not a certificate", identity_file);
	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;

	key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
	    SSH_FP_MD5, SSH_FP_HEX);

	printf("%s:\n", identity_file);
	printf("        Type: %s %s certificate\n", key_ssh_name(key),
	    key_cert_type(key));
	printf("        Public key: %s %s%s\n", key_type(key),
	    key_fingerprint_prefix(), key_fp);
	printf("        Signing CA: %s %s%s\n",
	    key_type(key->cert->signature_key),
	    key_fingerprint_prefix(), ca_fp);
	printf("        Key ID: \"%s\"\n", key->cert->key_id);
	if (!v00) {
		printf("        Serial: %llu\n",

	fclose(f);

	if (!quiet) {
		char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
		char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
		    SSH_FP_RANDOMART);
		printf("Your public key has been saved in %s.\n",
		    identity_file);
		printf("The key fingerprint is:\n");
		printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
		printf("The key's randomart image is:\n");
		printf("%s\n", ra);
		xfree(ra);

Return to bug 1872

Lines 594-599 key_fingerprint(Key *k, enum fp_type dgs Link Here

(-)openssh-5.8p1/key.c.fingerprint (+28 lines)
594	return retval;	594	return retval;
595	}	595	}
596		596
		597	enum fp_type
		598	key_fingerprint_selection(void)
		599	{
		600	static enum fp_type rv;
		601	static char rv_defined = 0;
		602	char *env;
		603
		604	if (!rv_defined) {
		605	env = getenv("SSH_FINGERPRINT_TYPE");
		606	rv = (env && !strcmp (env, "sha")) ?
		607	SSH_FP_SHA1 : SSH_FP_MD5;
		608	rv_defined = 1;
		609	}
		610	return rv;
		611	}
		612
		613	char *
		614	key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
		615	{
		616	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
		617	}
		618
		619	char *
		620	key_fingerprint_prefix(void)
		621	{
		622	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
		623	}
		624
597	/*	625	/*
598	* Reads a multiple-precision integer in decimal from the buffer, and advances	626	* Reads a multiple-precision integer in decimal from the buffer, and advances
599	* the pointer. The integer must already be initialized. This function is	627	* the pointer. The integer must already be initialized. This function is

Lines 590-597 input_userauth_pk_ok(int type, u_int32_t Link Here

(-)openssh-5.8p1/sshconnect2.c.fingerprint (-4 / +6 lines)
590	key->type, pktype);	590	key->type, pktype);
591	goto done;	591	goto done;
592	}	592	}
593	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	593	fp = key_selected_fingerprint(key, SSH_FP_HEX);
594	debug2("input_userauth_pk_ok: fp %s", fp);	594	debug2("input_userauth_pk_ok: fp %s%s",
		595	key_fingerprint_prefix(), fp);
595	xfree(fp);	596	xfree(fp);
596		597
597	/*	598	/*
Lines 1203-1210 sign_and_send_pubkey(Authctxt *authctxt, Link Here
1203	int have_sig = 1;	1204	int have_sig = 1;
1204	char *fp;	1205	char *fp;
1205		1206
1206	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);	1207	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
1207	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);	1208	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
		1209	key_fingerprint_prefix(), fp);
1208	xfree(fp);	1210	xfree(fp);
1209		1211
1210	if (key_to_blob(id->key, &blob, &bloblen) == 0) {	1212	if (key_to_blob(id->key, &blob, &bloblen) == 0) {

Lines 798-807 check_host_key(char *hostname, struct so Link Here

(-)openssh-5.8p1/sshconnect.c.fingerprint (-18 / +20 lines)
798	"key for IP address '%.128s' to the list "	798	"key for IP address '%.128s' to the list "
799	"of known hosts.", type, ip);	799	"of known hosts.", type, ip);
800	} else if (options.visual_host_key) {	800	} else if (options.visual_host_key) {
801	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	801	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
802	ra = key_fingerprint(host_key, SSH_FP_MD5,	802	ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
803	SSH_FP_RANDOMART);	803	logit("Host key fingerprint is %s%s\n%s\n",
804	logit("Host key fingerprint is %s\n%s\n", fp, ra);	804	key_fingerprint_prefix(), fp, ra);
805	xfree(ra);	805	xfree(ra);
806	xfree(fp);	806	xfree(fp);
807	}	807	}
Lines 838-846 check_host_key(char *hostname, struct so Link Here
838	else	838	else
839	snprintf(msg1, sizeof(msg1), ".");	839	snprintf(msg1, sizeof(msg1), ".");
840	/* The default */	840	/* The default */
841	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	841	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
842	ra = key_fingerprint(host_key, SSH_FP_MD5,	842	ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
843	SSH_FP_RANDOMART);
844	msg2[0] = '\0';	843	msg2[0] = '\0';
845	if (options.verify_host_key_dns) {	844	if (options.verify_host_key_dns) {
846	if (matching_host_key_dns)	845	if (matching_host_key_dns)
Lines 855-864 check_host_key(char *hostname, struct so Link Here
855	snprintf(msg, sizeof(msg),	854	snprintf(msg, sizeof(msg),
856	"The authenticity of host '%.200s (%s)' can't be "	855	"The authenticity of host '%.200s (%s)' can't be "
857	"established%s\n"	856	"established%s\n"
858	"%s key fingerprint is %s.%s%s\n%s"	857	"%s key fingerprint is %s%s.%s%s\n%s"
859	"Are you sure you want to continue connecting "	858	"Are you sure you want to continue connecting "
860	"(yes/no)? ",	859	"(yes/no)? ",
861	host, ip, msg1, type, fp,	860	host, ip, msg1, type,
		861	key_fingerprint_prefix(), fp,
862	options.visual_host_key ? "\n" : "",	862	options.visual_host_key ? "\n" : "",
863	options.visual_host_key ? ra : "",	863	options.visual_host_key ? ra : "",
864	msg2);	864	msg2);
Lines 1104-1111 verify_host_key(char *host, struct socka Link Here
1104	int flags = 0;	1104	int flags = 0;
1105	char *fp;	1105	char *fp;
1106		1106
1107	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	1107	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
1108	debug("Server host key: %s %s", key_type(host_key), fp);	1108	debug("Server host key: %s %s%s", key_type(host_key),
		1109	key_fingerprint_prefix(), fp);
1109	xfree(fp);	1110	xfree(fp);
1110		1111
1111	/* XXX certs are not yet supported for DNS */	1112	/* XXX certs are not yet supported for DNS */
Lines 1214-1227 show_other_keys(struct hostkeys *hostkey Link Here
1214	continue;	1215	continue;
1215	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))	1216	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
1216	continue;	1217	continue;
1217	fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);	1218	fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
1218	ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);	1219	ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
1219	logit("WARNING: %s key found for host %s\n"	1220	logit("WARNING: %s key found for host %s\n"
1220	"in %s:%lu\n"	1221	"in %s:%lu\n"
1221	"%s key fingerprint %s.",	1222	"%s key fingerprint %s%s.",
1222	key_type(found->key),	1223	key_type(found->key),
1223	found->host, found->file, found->line,	1224	found->host, found->file, found->line,
1224	key_type(found->key), fp);	1225	key_type(found->key),
		1226	key_fingerprint_prefix(), fp);
1225	if (options.visual_host_key)	1227	if (options.visual_host_key)
1226	logit("%s", ra);	1228	logit("%s", ra);
1227	xfree(ra);	1229	xfree(ra);
Lines 1236-1242 warn_changed_key(Key *host_key) Link Here
1236	{	1238	{
1237	char *fp;	1239	char *fp;
1238		1240
1239	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	1241	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
1240		1242
1241	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1243	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1242	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");	1244	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
Lines 1244-1251 warn_changed_key(Key *host_key) Link Here
1244	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");	1246	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
1245	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");	1247	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
1246	error("It is also possible that a host key has just been changed.");	1248	error("It is also possible that a host key has just been changed.");
1247	error("The fingerprint for the %s key sent by the remote host is\n%s.",	1249	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
1248	key_type(host_key), fp);	1250	key_type(host_key),key_fingerprint_prefix(), fp);
1249	error("Please contact your system administrator.");	1251	error("Please contact your system administrator.");
1250		1252
1251	xfree(fp);	1253	xfree(fp);

Lines 714-726 do_fingerprint(struct passwd *pw) Link Here

(-)openssh-5.8p1/ssh-keygen.c.fingerprint (-20 / +23 lines)
714	{	714	{
715	FILE *f;	715	FILE *f;
716	Key *public;	716	Key *public;
717	char comment = NULL, cp, ep, line[161024], fp, ra;	717	char comment = NULL, cp, ep, line[161024], fp, ra, *pfx;
718	int i, skip = 0, num = 0, invalid = 1;	718	int i, skip = 0, num = 0, invalid = 1;
719	enum fp_rep rep;	719	enum fp_rep rep;
720	enum fp_type fptype;	720	enum fp_type fptype;
721	struct stat st;	721	struct stat st;
722		722
723	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;	723	fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
		724	pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
724	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;	725	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
725		726
726	if (!have_identity)	727	if (!have_identity)
Lines 732-739 do_fingerprint(struct passwd *pw) Link Here
732	public = key_load_public(identity_file, &comment);	733	public = key_load_public(identity_file, &comment);
733	if (public != NULL) {	734	if (public != NULL) {
734	fp = key_fingerprint(public, fptype, rep);	735	fp = key_fingerprint(public, fptype, rep);
735	ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);	736	ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
736	printf("%u %s %s (%s)\n", key_size(public), fp, comment,	737	printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
737	key_type(public));	738	key_type(public));
738	if (log_level >= SYSLOG_LEVEL_VERBOSE)	739	if (log_level >= SYSLOG_LEVEL_VERBOSE)
739	printf("%s\n", ra);	740	printf("%s\n", ra);
Lines 798-805 do_fingerprint(struct passwd *pw) Link Here
798	}	799	}
799	comment = *cp ? cp : comment;	800	comment = *cp ? cp : comment;
800	fp = key_fingerprint(public, fptype, rep);	801	fp = key_fingerprint(public, fptype, rep);
801	ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);	802	ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
802	printf("%u %s %s (%s)\n", key_size(public), fp,	803	printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
803	comment ? comment : "no comment", key_type(public));	804	comment ? comment : "no comment", key_type(public));
804	if (log_level >= SYSLOG_LEVEL_VERBOSE)	805	if (log_level >= SYSLOG_LEVEL_VERBOSE)
805	printf("%s\n", ra);	806	printf("%s\n", ra);
Lines 823-835 printhost(FILE f, const char name, Key Link Here
823	if (print_fingerprint) {	824	if (print_fingerprint) {
824	enum fp_rep rep;	825	enum fp_rep rep;
825	enum fp_type fptype;	826	enum fp_type fptype;
826	char fp, ra;	827	char fp, ra, *pfx;
827		828
828	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;	829	fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
		830	pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
829	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;	831	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
		832
830	fp = key_fingerprint(public, fptype, rep);	833	fp = key_fingerprint(public, fptype, rep);
831	ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);	834	ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
832	printf("%u %s %s (%s)\n", key_size(public), fp, name,	835	printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
833	key_type(public));	836	key_type(public));
834	if (log_level >= SYSLOG_LEVEL_VERBOSE)	837	if (log_level >= SYSLOG_LEVEL_VERBOSE)
835	printf("%s\n", ra);	838	printf("%s\n", ra);
Lines 1695-1710 do_show_cert(struct passwd *pw) Link Here
1695	fatal("%s is not a certificate", identity_file);	1698	fatal("%s is not a certificate", identity_file);
1696	v00 = key->type == KEY_RSA_CERT_V00 \|\| key->type == KEY_DSA_CERT_V00;	1699	v00 = key->type == KEY_RSA_CERT_V00 \|\| key->type == KEY_DSA_CERT_V00;
1697		1700
1698	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	1701	key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
1699	ca_fp = key_fingerprint(key->cert->signature_key,	1702	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
1700	SSH_FP_MD5, SSH_FP_HEX);
1701		1703
1702	printf("%s:\n", identity_file);	1704	printf("%s:\n", identity_file);
1703	printf(" Type: %s %s certificate\n", key_ssh_name(key),	1705	printf(" Type: %s %s certificate\n", key_ssh_name(key),
1704	key_cert_type(key));	1706	key_cert_type(key));
1705	printf(" Public key: %s %s\n", key_type(key), key_fp);	1707	printf(" Public key: %s %s%s\n", key_type(key),
1706	printf(" Signing CA: %s %s\n",	1708	key_fingerprint_prefix(), key_fp);
1707	key_type(key->cert->signature_key), ca_fp);	1709	printf(" Signing CA: %s %s%s\n",
		1710	key_type(key->cert->signature_key),
		1711	key_fingerprint_prefix(), ca_fp);
1708	printf(" Key ID: \"%s\"\n", key->cert->key_id);	1712	printf(" Key ID: \"%s\"\n", key->cert->key_id);
1709	if (!v00) {	1713	if (!v00) {
1710	printf(" Serial: %llu\n",	1714	printf(" Serial: %llu\n",
Lines 2249-2261 passphrase_again: Link Here
2249	fclose(f);	2253	fclose(f);
2250		2254
2251	if (!quiet) {	2255	if (!quiet) {
2252	char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);	2256	char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
2253	char *ra = key_fingerprint(public, SSH_FP_MD5,	2257	char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
2254	SSH_FP_RANDOMART);
2255	printf("Your public key has been saved in %s.\n",	2258	printf("Your public key has been saved in %s.\n",
2256	identity_file);	2259	identity_file);
2257	printf("The key fingerprint is:\n");	2260	printf("The key fingerprint is:\n");
2258	printf("%s %s\n", fp, comment);	2261	printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
2259	printf("The key's randomart image is:\n");	2262	printf("The key's randomart image is:\n");
2260	printf("%s\n", ra);	2263	printf("%s\n", ra);
2261	xfree(ra);	2264	xfree(ra);

Lines 196-211 hostbased_key_allowed(struct passwd *pw, Link Here

(-)openssh-5.8p1/auth2-hostbased.c.fingerprint (-7 / +9 lines)
196		196
197	if (host_status == HOST_OK) {	197	if (host_status == HOST_OK) {
198	if (key_is_cert(key)) {	198	if (key_is_cert(key)) {
199	fp = key_fingerprint(key->cert->signature_key,	199	fp = key_selected_fingerprint(key->cert->signature_key,
200	SSH_FP_MD5, SSH_FP_HEX);	200	SSH_FP_HEX);
201	verbose("Accepted certificate ID \"%s\" signed by "	201	verbose("Accepted certificate ID \"%s\" signed by "
202	"%s CA %s from %s@%s", key->cert->key_id,	202	"%s CA %s%s from %s@%s", key->cert->key_id,
203	key_type(key->cert->signature_key), fp,	203	key_type(key->cert->signature_key),
		204	key_fingerprint_prefix(), fp,
204	cuser, lookup);	205	cuser, lookup);
205	} else {	206	} else {
206	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	207	fp = key_selected_fingerprint(key, SSH_FP_HEX);
207	verbose("Accepted %s public key %s from %s@%s",	208	verbose("Accepted %s public key %s%s from %s@%s",
208	key_type(key), fp, cuser, lookup);	209	key_type(key), key_fingerprint_prefix(),
		210	fp, cuser, lookup);
209	}	211	}
210	xfree(fp);	212	xfree(fp);
211	}	213	}

Lines 319-328 user_key_allowed2(struct passwd *pw, Key Link Here

(-)openssh-5.8p1/auth2-pubkey.c.fingerprint (-11 / +11 lines)
319	continue;	319	continue;
320	if (!key_is_cert_authority)	320	if (!key_is_cert_authority)
321	continue;	321	continue;
322	fp = key_fingerprint(found, SSH_FP_MD5,	322	fp = key_selected_fingerprint(found, SSH_FP_HEX);
323	SSH_FP_HEX);	323	debug("matching CA found: file %s, line %lu, %s %s%s",
324	debug("matching CA found: file %s, line %lu, %s %s",	324	file, linenum, key_type(found),
325	file, linenum, key_type(found), fp);	325	key_fingerprint_prefix(), fp);
326	/*	326	/*
327	* If the user has specified a list of principals as	327	* If the user has specified a list of principals as
328	* a key option, then prefer that list to matching	328	* a key option, then prefer that list to matching
Lines 362-370 user_key_allowed2(struct passwd *pw, Key Link Here
362	found_key = 1;	362	found_key = 1;
363	debug("matching key found: file %s, line %lu",	363	debug("matching key found: file %s, line %lu",
364	file, linenum);	364	file, linenum);
365	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);	365	fp = key_selected_fingerprint(found, SSH_FP_HEX);
366	verbose("Found matching %s key: %s",	366	verbose("Found matching %s key: %s%s",
367	key_type(found), fp);	367	key_type(found), key_fingerprint_prefix(), fp);
368	xfree(fp);	368	xfree(fp);
369	break;	369	break;
370	}	370	}
Lines 388-400 user_cert_trusted_ca(struct passwd *pw, Link Here
388	if (!key_is_cert(key) \|\| options.trusted_user_ca_keys == NULL)	388	if (!key_is_cert(key) \|\| options.trusted_user_ca_keys == NULL)
389	return 0;	389	return 0;
390		390
391	ca_fp = key_fingerprint(key->cert->signature_key,	391	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
392	SSH_FP_MD5, SSH_FP_HEX);
393		392
394	if (key_in_file(key->cert->signature_key,	393	if (key_in_file(key->cert->signature_key,
395	options.trusted_user_ca_keys, 1) != 1) {	394	options.trusted_user_ca_keys, 1) != 1) {
396	debug2("%s: CA %s %s is not listed in %s", __func__,	395	debug2("%s: CA %s%s %s is not listed in %s", __func__,
397	key_type(key->cert->signature_key), ca_fp,	396	key_type(key->cert->signature_key),
		397	key_fingerprint_prefix(), ca_fp,
398	options.trusted_user_ca_keys);	398	options.trusted_user_ca_keys);
399	goto out;	399	goto out;
400	}	400	}