Attachment #2429 for bug #1872

Lines 168-174 static int Link Here

(-)a/auth-rsa.c (-4 / +6 lines)
168	rsa_key_allowed_in_file(struct passwd pw, char file,	168	rsa_key_allowed_in_file(struct passwd pw, char file,
169	const BIGNUM client_n, Key *rkey)	169	const BIGNUM client_n, Key *rkey)
170	{	170	{
171	char *fp, line[SSH_MAX_PUBKEY_BYTES];	171	char fp, fpt, line[SSH_MAX_PUBKEY_BYTES];
172	int allowed = 0, bits;	172	int allowed = 0, bits;
173	FILE *f;	173	FILE *f;
174	u_long linenum = 0;	174	u_long linenum = 0;
Lines 235-243 rsa_key_allowed_in_file(struct passwd pw, char file, Link Here
235	"actual %d vs. announced %d.",	235	"actual %d vs. announced %d.",
236	file, linenum, BN_num_bits(key->rsa->n), bits);	236	file, linenum, BN_num_bits(key->rsa->n), bits);
237		237
238	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	238	fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
239	debug("matching key found: file %s, line %lu %s %s",	239	fpt = fpt_name(options.fpt);
240	file, linenum, key_type(key), fp);	240	debug("matching key found: file %s, line %lu %s [%s]%s",
		241	file, linenum, key_type(key), fpt, fp);
		242	free(fpt);
241	free(fp);	243	free(fp);
242		244
243	/* Never accept a revoked key */	245	/* Never accept a revoked key */




int
auth_key_is_revoked(Key *key)
{
	char *key_fp, *key_fpt;

	if (options.revoked_keys_file == NULL)
		return 0;

	case 1:
 revoked:
		/* Key revoked */
		key_fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
		key_fpt = fpt_name(options.fpt);
		error("WARNING: authentication attempt with a revoked "
		    "%s key [%s]%s ", key_type(key), key_fpt, key_fp);
		free(key_fpt);
		free(key_fp);
		return 1;
	}




	const char *resolvedname, *ipaddr, *lookup, *reason;
	HostStatus host_status;
	int len;
	char *fp, *fpt;

	if (auth_key_is_revoked(key))
		return 0;

	if (host_status == HOST_OK) {
		if (key_is_cert(key)) {
			fp = key_fingerprint(key->cert->signature_key,
			    options.fpt, SSH_FP_HEX);
			fpt = fpt_name(options.fpt);
			verbose("Accepted certificate ID \"%s\" signed by "
			    "%s CA [%s]%s from %s@%s", key->cert->key_id,
			    key_type(key->cert->signature_key), fpt, fp,
			    cuser, lookup);
		} else {
			fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
			fpt = fpt_name(options.fpt);
			verbose("Accepted %s public key [%s]%s from %s@%s",
			    key_type(key), fpt, fp, cuser, lookup);
		}
		free(fpt);
		free(fp);
	}





void
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
{
	char *fp, *fpt, *extra;
	va_list ap;
	int i;



	if (key_is_cert(key)) {
		fp = key_fingerprint(key->cert->signature_key,
		    options.fpt, SSH_FP_HEX);
		fpt = fpt_name(options.fpt);
		auth_info(authctxt, "%s ID %s (serial %llu) CA %s [%s]%s%s%s",
		    key_type(key), key->cert->key_id,
		    (unsigned long long)key->cert->serial,
		    key_type(key->cert->signature_key), fpt, fp,
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		free(fpt);
		free(fp);
	} else {
		fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
		fpt = fpt_name(options.fpt);
		auth_info(authctxt, "%s [%s]%s%s%s", key_type(key), fpt, fp,
		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		free(fpt);
		free(fp);
	}
	free(extra);

	int found_key = 0;
	u_long linenum = 0;
	Key *found;
	char *fp, *fpt;

	found_key = 0;


				continue;
			if (!key_is_cert_authority)
				continue;
			fp = key_fingerprint(found, options.fpt,
			    SSH_FP_HEX);
			fpt = fpt_name(options.fpt);
			debug("matching CA found: file %s, line %lu, %s [%s]%s",
			    file, linenum, key_type(found), fpt, fp);
			/*
			 * If the user has specified a list of principals as
			 * a key option, then prefer that list to matching

				reason = "Certificate does not contain an "
				    "authorized principal";
 fail_reason:
				free(fpt);
				free(fp);
				error("%s", reason);
				auth_debug_add("%s", reason);

			    &reason) != 0)
				goto fail_reason;
			if (auth_cert_options(key, pw) != 0) {
				free(fpt);
				free(fp);
				continue;
			}
			verbose("Accepted certificate ID \"%s\" "
			    "signed by %s CA [%s]%s via %s", key->cert->key_id,
			    key_type(found), fpt, fp, file);
			free(fpt);
			free(fp);
			found_key = 1;
			break;

			if (key_is_cert_authority)
				continue;
			found_key = 1;
			fp = key_fingerprint(found, options.fpt, SSH_FP_HEX);
			fpt = fpt_name(options.fpt);
			debug("matching key found: file %s, line %lu %s [%s]%s",
			    file, linenum, key_type(found), fpt, fp);
			free(fpt);
			free(fp);
			break;
		}

static int
user_cert_trusted_ca(struct passwd *pw, Key *key)
{
	char *ca_fp, *ca_fpt, *principals_file = NULL;
	const char *reason;
	int ret = 0;


		return 0;

	ca_fp = key_fingerprint(key->cert->signature_key,
	    options.fpt, SSH_FP_HEX);
	ca_fpt = fpt_name(options.fpt);

	if (key_in_file(key->cert->signature_key,
	    options.trusted_user_ca_keys, 1) != 1) {
		debug2("%s: CA %s [%s]%s is not listed in %s", __func__,
		    key_type(key->cert->signature_key), ca_fpt, ca_fp,
		    options.trusted_user_ca_keys);
		goto out;
	}

	if (auth_cert_options(key, pw) != 0)
		goto out;

	verbose("Accepted certificate ID \"%s\" signed by %s CA [%s]%s via %s",
	    key->cert->key_id, key_type(key->cert->signature_key), ca_fpt, ca_fp,
	    options.trusted_user_ca_keys);
	ret = 1;

 out:
	free(principals_file);
	free(ca_fpt);
	free(ca_fp);
	return ret;
}

Lines 61-66 Link Here

(-)a/key.c (+30 lines)
61	static int to_blob(const Key , u_char , u_int , int);	61	static int to_blob(const Key , u_char , u_int , int);
62	static Key key_from_blob2(const u_char , u_int, int);	62	static Key key_from_blob2(const u_char , u_int, int);
63		63
		64	struct FPT {
		65	char *name;
		66	int type;
		67	};
		68
		69	static const struct FPT fpts[] = {
		70	{ "md5", SSH_FP_MD5},
		71	{ "sha1", SSH_FP_SHA1},
		72	{ "sha256", SSH_FP_SHA256},
		73	{ NULL, SSH_FP_INVALID},
		74	};
		75
64	static struct KeyCert *	76	static struct KeyCert *
65	cert_new(void)	77	cert_new(void)
66	{	78	{
Lines 76-81 cert_new(void) Link Here
76	return cert;	88	return cert;
77	}	89	}
78		90
		91	int
		92	fpt_type(const char *name) {
		93	const FPT *fpt;
		94	for (fpt = fpts; fpt->name != NULL; fpt++)
		95	if (strcmp(fpt->name, name) == 0)
		96	return fpt->type;
		97	return SSH_FP_INVALID;
		98	}
		99
		100	char *
		101	fpt_name(const int type) {
		102	const FPT *fpt;
		103	for (fpt = fpts; fpt->name != NULL; fpt++)
		104	if (fpt->type == type)
		105	return xstrdup(fpt->name);
		106	return NULL;
		107	}
		108
79	Key *	109	Key *
80	key_new(int type)	110	key_new(int type)
81	{	111	{

Lines 51-57 enum types { Link Here

(-)a/key.h (-1 / +8 lines)
51	enum fp_type {	51	enum fp_type {
52	SSH_FP_SHA1,	52	SSH_FP_SHA1,
53	SSH_FP_MD5,	53	SSH_FP_MD5,
54	SSH_FP_SHA256	54	SSH_FP_SHA256,
		55	SSH_FP_INVALID = -1
55	};	56	};
56	enum fp_rep {	57	enum fp_rep {
57	SSH_FP_HEX,	58	SSH_FP_HEX,
Lines 59-64 enum fp_rep { Link Here
59	SSH_FP_RANDOMART	60	SSH_FP_RANDOMART
60	};	61	};
61		62
		63	typedef struct FPT FPT;
		64
		65	struct FPT;
		66
62	/* key is stored in external hardware */	67	/* key is stored in external hardware */
63	#define KEY_FLAG_EXT 0x0001	68	#define KEY_FLAG_EXT 0x0001
64		69
Lines 95-100 struct Key { Link Here
95	#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES	100	#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES
96	#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES	101	#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES
97		102
		103	int fpt_type(const char *);
		104	char *fpt_name(int);
98	Key *key_new(int);	105	Key *key_new(int);
99	void key_add_private(Key *);	106	void key_add_private(Key *);
100	Key *key_new_private(int);	107	Key *key_new_private(int);




	oVisualHostKey, oUseRoaming,
	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oFingerprintType,
	oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;


	{ "canonicalizehostname", oCanonicalizeHostname },
	{ "canonicalizemaxdots", oCanonicalizeMaxDots },
	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
	{ "fingerprinttype", oFingerprintType },
	{ "ignoreunknown", oIgnoreUnknown },

	{ NULL, oBadOption }

		intptr = &options->canonicalize_fallback_local;
		goto parse_flag;

	case oFingerprintType:
		arg = strdelim(&s);
		value = fpt_type(arg);
		if (value == SSH_FP_INVALID)
			fatal("%.200s line %d: unsupported fingerprint type '%s'",
			    filename, linenum, arg ? arg : "<NONE>");
		if (*activep && options->fpt == SSH_FP_INVALID)
			options->fpt = value;
		break;

	case oDeprecated:
		debug("%s line %d: Deprecated option \"%s\"",
		    filename, linenum, keyword);

	options->canonicalize_max_dots = -1;
	options->canonicalize_fallback_local = -1;
	options->canonicalize_hostname = -1;
	options->fpt = SSH_FP_INVALID;
}

/*

		options->canonicalize_fallback_local = 1;
	if (options->canonicalize_hostname == -1)
		options->canonicalize_hostname = SSH_CANONICALISE_NO;
	if (options->fpt == SSH_FP_INVALID)
		options->fpt = SSH_FP_MD5;
#define CLEAR_ON_NONE(v) \
	do { \
		if (option_clear_or_none(v)) { \

Lines 104-109 typedef struct { Link Here

(-)a/readconf.h (+2 lines)
104	int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];	104	int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];
105	Key *identity_keys[SSH_MAX_IDENTITY_FILES];	105	Key *identity_keys[SSH_MAX_IDENTITY_FILES];
106		106
		107	int fpt; /* FingerprintType */
		108
107	/* Local TCP/IP forward requests. */	109	/* Local TCP/IP forward requests. */
108	int num_local_forwards;	110	int num_local_forwards;
109	Forward *local_forwards;	111	Forward *local_forwards;

Lines 153-158 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +15 lines)
153	options->ip_qos_interactive = -1;	153	options->ip_qos_interactive = -1;
154	options->ip_qos_bulk = -1;	154	options->ip_qos_bulk = -1;
155	options->version_addendum = NULL;	155	options->version_addendum = NULL;
		156	options->fpt = SSH_FP_INVALID;
156	}	157	}
157		158
158	void	159	void
Lines 312-317 fill_default_server_options(ServerOptions *options) Link Here
312	options->compression = 0;	313	options->compression = 0;
313	}	314	}
314	#endif	315	#endif
		316	if (options->fpt == SSH_FP_INVALID)
		317	options->fpt = SSH_FP_MD5;
315		318
316	}	319	}
317		320
Lines 347-353 typedef enum { Link Here
347	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	350	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
348	sKexAlgorithms, sIPQoS, sVersionAddendum,	351	sKexAlgorithms, sIPQoS, sVersionAddendum,
349	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,	352	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
350	sAuthenticationMethods, sHostKeyAgent,	353	sAuthenticationMethods, sHostKeyAgent, sFingerprintType,
351	sDeprecated, sUnsupported	354	sDeprecated, sUnsupported
352	} ServerOpCodes;	355	} ServerOpCodes;
353		356
Lines 474-479 static struct { Link Here
474	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },	477	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
475	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },	478	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
476	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },	479	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
		480	{ "fingerprinttype", sFingerprintType },
477	{ NULL, sBadOption, 0 }	481	{ NULL, sBadOption, 0 }
478	};	482	};
479		483
Lines 1620-1625 process_server_config_line(ServerOptions options, char line, Link Here
1620	}	1624	}
1621	return 0;	1625	return 0;
1622		1626
		1627	case sFingerprintType:
		1628	arg = strdelim(&cp);
		1629	value = fpt_type(arg);
		1630	if (value == SSH_FP_INVALID)
		1631	fatal("%.200s line %d: unsupported fingerprint type '%s'",
		1632	filename, linenum, arg ? arg : "<NONE>");
		1633	if (*activep && options->fpt == SSH_FP_INVALID)
		1634	options->fpt = value;
		1635	break;
		1636
1623	case sDeprecated:	1637	case sDeprecated:
1624	logit("%s line %d: Deprecated option %s",	1638	logit("%s line %d: Deprecated option %s",
1625	filename, linenum, arg);	1639	filename, linenum, arg);

Lines 183-188 typedef struct { Link Here

(-)a/servconf.h (+3 lines)
183		183
184	u_int num_auth_methods;	184	u_int num_auth_methods;
185	char *auth_methods[MAX_AUTH_METHODS];	185	char *auth_methods[MAX_AUTH_METHODS];
		186
		187	int fpt; /* FingerprintType */
		188
186	} ServerOptions;	189	} ServerOptions;
187		190
188	/* Information about the incoming connection as used by Match */	191	/* Information about the incoming connection as used by Match */

Lines 31-36 Link Here

(-)a/ssh_config (+1 lines)
31	# AddressFamily any	31	# AddressFamily any
32	# ConnectTimeout 0	32	# ConnectTimeout 0
33	# StrictHostKeyChecking ask	33	# StrictHostKeyChecking ask
		34	# FingerprintType sha256
34	# IdentityFile ~/.ssh/identity	35	# IdentityFile ~/.ssh/identity
35	# IdentityFile ~/.ssh/id_rsa	36	# IdentityFile ~/.ssh/id_rsa
36	# IdentityFile ~/.ssh/id_dsa	37	# IdentityFile ~/.ssh/id_dsa




.Dq no .
The default is
.Dq no .
.It Cm FingerprintType
Specifies the cryptographic hash function to use for keys fingeprints.
The supported hashes are:
.Dq md5 ,
.Dq sha1
and
.Dq sha256 .
.Pp
The default is
.Dq md5
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.




	HostStatus ip_status;
	Key *raw_key = NULL;
	char *ip = NULL, *host = NULL;
	char hostline[1000], *hostp, *fp, *fpt, *ra;
	char msg[1024];
	const char *type;
	const struct hostkey_entry *host_found, *ip_found;

				    "key for IP address '%.128s' to the list "
				    "of known hosts.", type, ip);
		} else if (options.visual_host_key) {
			fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
			fpt = fpt_name(options.fpt);
			ra = key_fingerprint(host_key, options.fpt,
			    SSH_FP_RANDOMART);
			logit("Host key fingerprint is [%s]%s\n%s\n", fpt, fp, ra);
			free(ra);
			free(fpt);
			free(fp);
		}
		break;

			else
				snprintf(msg1, sizeof(msg1), ".");
			/* The default */
			fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
			fpt = fpt_name(options.fpt);
			ra = key_fingerprint(host_key, options.fpt,
			    SSH_FP_RANDOMART);
			msg2[0] = '\0';
			if (options.verify_host_key_dns) {

			snprintf(msg, sizeof(msg),
			    "The authenticity of host '%.200s (%s)' can't be "
			    "established%s\n"
			    "%s key fingerprint is [%s]%s.%s%s\n%s"
			    "Are you sure you want to continue connecting "
			    "(yes/no)? ",
			    host, ip, msg1, type, fpt, fp,
			    options.visual_host_key ? "\n" : "",
			    options.visual_host_key ? ra : "",
			    msg2);
			free(ra);
			free(fpt);
			free(fp);
			if (!confirm(msg))
				goto fail;

	int flags = 0;
	char *fp;

	fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
	debug("Server host key: %s %s", key_type(host_key), fp);
	free(fp);


		-1
	};
	int i, ret = 0;
	char *fp, *fpt, *ra;
	const struct hostkey_entry *found;

	for (i = 0; type[i] != -1; i++) {

			continue;
		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
			continue;
		fp = key_fingerprint(found->key, options.fpt, SSH_FP_HEX);
		fpt = fpt_name(options.fpt);
		ra = key_fingerprint(found->key, options.fpt, SSH_FP_RANDOMART);
		logit("WARNING: %s key found for host %s\n"
		    "in %s:%lu\n"
		    "%s key fingerprint [%s]%s.",
		    key_type(found->key),
		    found->host, found->file, found->line,
		    key_type(found->key), fpt, fp);
		if (options.visual_host_key)
			logit("%s", ra);
		free(ra);
		free(fpt);
		free(fp);
		ret = 1;
	}

{
	char *fp;

	fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);

	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");

Lines 542-548 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/sshconnect2.c (-6 / +10 lines)
542	Buffer b;	542	Buffer b;
543	int pktype, sent = 0;	543	int pktype, sent = 0;
544	u_int alen, blen;	544	u_int alen, blen;
545	char pkalg, fp;	545	char pkalg, fp, *fpt;
546	u_char *pkblob;	546	u_char *pkblob;
547		547
548	if (authctxt == NULL)	548	if (authctxt == NULL)
Lines 577-584 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) Link Here
577	key->type, pktype);	577	key->type, pktype);
578	goto done;	578	goto done;
579	}	579	}
580	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	580	fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
581	debug2("input_userauth_pk_ok: fp %s", fp);	581	fpt = fpt_name(options.fpt);
		582	debug2("input_userauth_pk_ok: fp [%s]%s", fpt, fp);
		583	free(fpt);
582	free(fp);	584	free(fp);
583		585
584	/*	586	/*
Lines 984-993 sign_and_send_pubkey(Authctxt authctxt, Identity id) Link Here
984	u_int skip = 0;	986	u_int skip = 0;
985	int ret = -1;	987	int ret = -1;
986	int have_sig = 1;	988	int have_sig = 1;
987	char *fp;	989	char fp, fpt;
988		990
989	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);	991	fp = key_fingerprint(id->key, options.fpt, SSH_FP_HEX);
990	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);	992	fpt = fpt_name(options.fpt);
		993	debug3("sign_and_send_pubkey: %s [%s]%s", key_type(id->key), fpt, fp);
		994	free(fpt);
991	free(fp);	995	free(fp);
992		996
993	if (key_to_blob(id->key, &blob, &bloblen) == 0) {	997	if (key_to_blob(id->key, &blob, &bloblen) == 0) {

Lines 58-63 AuthorizedKeysFile .ssh/authorized_keys Link Here

(-)a/sshd_config (+2 lines)
58	#AuthorizedKeysCommand none	58	#AuthorizedKeysCommand none
59	#AuthorizedKeysCommandUser nobody	59	#AuthorizedKeysCommandUser nobody
60		60
		61	#FingerprintType sha256
		62
61	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	63	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
62	#RhostsRSAAuthentication no	64	#RhostsRSAAuthentication no
63	# similar for protocol version 2	65	# similar for protocol version 2




See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
.It Cm FingerprintType
Specifies the cryptographic hash function to use for keys fingeprints.
The supported hashes are:
.Dq md5 ,
.Dq sha1
and
.Dq sha256 .
.Pp
The default is
.Dq md5
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
- 

Return to bug 1872

Lines 659-665 getpwnamallow(const char *user) Link Here

(-)a/auth.c (-3 / +5 lines)
659	int	659	int
660	auth_key_is_revoked(Key *key)	660	auth_key_is_revoked(Key *key)
661	{	661	{
662	char *key_fp;	662	char key_fp, key_fpt;
663		663
664	if (options.revoked_keys_file == NULL)	664	if (options.revoked_keys_file == NULL)
665	return 0;	665	return 0;
Lines 685-693 auth_key_is_revoked(Key *key) Link Here
685	case 1:	685	case 1:
686	revoked:	686	revoked:
687	/* Key revoked */	687	/* Key revoked */
688	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	688	key_fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
		689	key_fpt = fpt_name(options.fpt);
689	error("WARNING: authentication attempt with a revoked "	690	error("WARNING: authentication attempt with a revoked "
690	"%s key %s ", key_type(key), key_fp);	691	"%s key [%s]%s ", key_type(key), key_fpt, key_fp);
		692	free(key_fpt);
691	free(key_fp);	693	free(key_fp);
692	return 1;	694	return 1;
693	}	695	}

Lines 198-204 done: Link Here

(-)a/auth2-pubkey.c (-21 / +33 lines)
198	void	198	void
199	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)	199	pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...)
200	{	200	{
201	char fp, extra;	201	char fp, fpt, *extra;
202	va_list ap;	202	va_list ap;
203	int i;	203	int i;
204		204
Lines 213-229 pubkey_auth_info(Authctxt authctxt, const Key key, const char *fmt, ...) Link Here
213		213
214	if (key_is_cert(key)) {	214	if (key_is_cert(key)) {
215	fp = key_fingerprint(key->cert->signature_key,	215	fp = key_fingerprint(key->cert->signature_key,
216	SSH_FP_MD5, SSH_FP_HEX);	216	options.fpt, SSH_FP_HEX);
217	auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",	217	fpt = fpt_name(options.fpt);
		218	auth_info(authctxt, "%s ID %s (serial %llu) CA %s [%s]%s%s%s",
218	key_type(key), key->cert->key_id,	219	key_type(key), key->cert->key_id,
219	(unsigned long long)key->cert->serial,	220	(unsigned long long)key->cert->serial,
220	key_type(key->cert->signature_key), fp,	221	key_type(key->cert->signature_key), fpt, fp,
221	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);	222	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		223	free(fpt);
222	free(fp);	224	free(fp);
223	} else {	225	} else {
224	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	226	fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
225	auth_info(authctxt, "%s %s%s%s", key_type(key), fp,	227	fpt = fpt_name(options.fpt);
		228	auth_info(authctxt, "%s [%s]%s%s%s", key_type(key), fpt, fp,
226	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);	229	extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
		230	free(fpt);
227	free(fp);	231	free(fp);
228	}	232	}
229	free(extra);	233	free(extra);
Lines 319-325 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
319	int found_key = 0;	323	int found_key = 0;
320	u_long linenum = 0;	324	u_long linenum = 0;
321	Key *found;	325	Key *found;
322	char *fp;	326	char fp, fpt;
323		327
324	found_key = 0;	328	found_key = 0;
325		329
Lines 365-374 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
365	continue;	369	continue;
366	if (!key_is_cert_authority)	370	if (!key_is_cert_authority)
367	continue;	371	continue;
368	fp = key_fingerprint(found, SSH_FP_MD5,	372	fp = key_fingerprint(found, options.fpt,
369	SSH_FP_HEX);	373	SSH_FP_HEX);
370	debug("matching CA found: file %s, line %lu, %s %s",	374	fpt = fpt_name(options.fpt);
371	file, linenum, key_type(found), fp);	375	debug("matching CA found: file %s, line %lu, %s [%s]%s",
		376	file, linenum, key_type(found), fpt, fp);
372	/*	377	/*
373	* If the user has specified a list of principals as	378	* If the user has specified a list of principals as
374	* a key option, then prefer that list to matching	379	* a key option, then prefer that list to matching
Lines 380-385 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
380	reason = "Certificate does not contain an "	385	reason = "Certificate does not contain an "
381	"authorized principal";	386	"authorized principal";
382	fail_reason:	387	fail_reason:
		388	free(fpt);
383	free(fp);	389	free(fp);
384	error("%s", reason);	390	error("%s", reason);
385	auth_debug_add("%s", reason);	391	auth_debug_add("%s", reason);
Lines 390-401 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
390	&reason) != 0)	396	&reason) != 0)
391	goto fail_reason;	397	goto fail_reason;
392	if (auth_cert_options(key, pw) != 0) {	398	if (auth_cert_options(key, pw) != 0) {
		399	free(fpt);
393	free(fp);	400	free(fp);
394	continue;	401	continue;
395	}	402	}
396	verbose("Accepted certificate ID \"%s\" "	403	verbose("Accepted certificate ID \"%s\" "
397	"signed by %s CA %s via %s", key->cert->key_id,	404	"signed by %s CA [%s]%s via %s", key->cert->key_id,
398	key_type(found), fp, file);	405	key_type(found), fpt, fp, file);
		406	free(fpt);
399	free(fp);	407	free(fp);
400	found_key = 1;	408	found_key = 1;
401	break;	409	break;
Lines 406-414 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
406	if (key_is_cert_authority)	414	if (key_is_cert_authority)
407	continue;	415	continue;
408	found_key = 1;	416	found_key = 1;
409	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);	417	fp = key_fingerprint(found, options.fpt, SSH_FP_HEX);
410	debug("matching key found: file %s, line %lu %s %s",	418	fpt = fpt_name(options.fpt);
411	file, linenum, key_type(found), fp);	419	debug("matching key found: file %s, line %lu %s [%s]%s",
		420	file, linenum, key_type(found), fpt, fp);
		421	free(fpt);
412	free(fp);	422	free(fp);
413	break;	423	break;
414	}	424	}
Lines 424-430 check_authkeys_file(FILE f, char file, Key* key, struct passwd *pw) Link Here
424	static int	434	static int
425	user_cert_trusted_ca(struct passwd pw, Key key)	435	user_cert_trusted_ca(struct passwd pw, Key key)
426	{	436	{
427	char ca_fp, principals_file = NULL;	437	char ca_fp, ca_fpt, *principals_file = NULL;
428	const char *reason;	438	const char *reason;
429	int ret = 0;	439	int ret = 0;
430		440
Lines 432-443 user_cert_trusted_ca(struct passwd pw, Key key) Link Here
432	return 0;	442	return 0;
433		443
434	ca_fp = key_fingerprint(key->cert->signature_key,	444	ca_fp = key_fingerprint(key->cert->signature_key,
435	SSH_FP_MD5, SSH_FP_HEX);	445	options.fpt, SSH_FP_HEX);
		446	ca_fpt = fpt_name(options.fpt);
436		447
437	if (key_in_file(key->cert->signature_key,	448	if (key_in_file(key->cert->signature_key,
438	options.trusted_user_ca_keys, 1) != 1) {	449	options.trusted_user_ca_keys, 1) != 1) {
439	debug2("%s: CA %s %s is not listed in %s", __func__,	450	debug2("%s: CA %s [%s]%s is not listed in %s", __func__,
440	key_type(key->cert->signature_key), ca_fp,	451	key_type(key->cert->signature_key), ca_fpt, ca_fp,
441	options.trusted_user_ca_keys);	452	options.trusted_user_ca_keys);
442	goto out;	453	goto out;
443	}	454	}
Lines 462-474 user_cert_trusted_ca(struct passwd pw, Key key) Link Here
462	if (auth_cert_options(key, pw) != 0)	473	if (auth_cert_options(key, pw) != 0)
463	goto out;	474	goto out;
464		475
465	verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",	476	verbose("Accepted certificate ID \"%s\" signed by %s CA [%s]%s via %s",
466	key->cert->key_id, key_type(key->cert->signature_key), ca_fp,	477	key->cert->key_id, key_type(key->cert->signature_key), ca_fpt, ca_fp,
467	options.trusted_user_ca_keys);	478	options.trusted_user_ca_keys);
468	ret = 1;	479	ret = 1;
469		480
470	out:	481	out:
471	free(principals_file);	482	free(principals_file);
		483	free(ca_fpt);
472	free(ca_fp);	484	free(ca_fp);
473	return ret;	485	return ret;
474	}	486	}

Lines 148-154 typedef enum { Link Here

(-)a/readconf.c (-1 / +15 lines)
148	oVisualHostKey, oUseRoaming,	148	oVisualHostKey, oUseRoaming,
149	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,	149	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
150	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,	150	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
151	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	151	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oFingerprintType,
152	oIgnoredUnknownOption, oDeprecated, oUnsupported	152	oIgnoredUnknownOption, oDeprecated, oUnsupported
153	} OpCodes;	153	} OpCodes;
154		154
Lines 261-266 static struct { Link Here
261	{ "canonicalizehostname", oCanonicalizeHostname },	261	{ "canonicalizehostname", oCanonicalizeHostname },
262	{ "canonicalizemaxdots", oCanonicalizeMaxDots },	262	{ "canonicalizemaxdots", oCanonicalizeMaxDots },
263	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },	263	{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
		264	{ "fingerprinttype", oFingerprintType },
264	{ "ignoreunknown", oIgnoreUnknown },	265	{ "ignoreunknown", oIgnoreUnknown },
265		266
266	{ NULL, oBadOption }	267	{ NULL, oBadOption }
Lines 1394-1399 parse_int: Link Here
1394	intptr = &options->canonicalize_fallback_local;	1395	intptr = &options->canonicalize_fallback_local;
1395	goto parse_flag;	1396	goto parse_flag;
1396		1397
		1398	case oFingerprintType:
		1399	arg = strdelim(&s);
		1400	value = fpt_type(arg);
		1401	if (value == SSH_FP_INVALID)
		1402	fatal("%.200s line %d: unsupported fingerprint type '%s'",
		1403	filename, linenum, arg ? arg : "<NONE>");
		1404	if (*activep && options->fpt == SSH_FP_INVALID)
		1405	options->fpt = value;
		1406	break;
		1407
1397	case oDeprecated:	1408	case oDeprecated:
1398	debug("%s line %d: Deprecated option \"%s\"",	1409	debug("%s line %d: Deprecated option \"%s\"",
1399	filename, linenum, keyword);	1410	filename, linenum, keyword);
Lines 1568-1573 initialize_options(Options * options) Link Here
1568	options->canonicalize_max_dots = -1;	1579	options->canonicalize_max_dots = -1;
1569	options->canonicalize_fallback_local = -1;	1580	options->canonicalize_fallback_local = -1;
1570	options->canonicalize_hostname = -1;	1581	options->canonicalize_hostname = -1;
		1582	options->fpt = SSH_FP_INVALID;
1571	}	1583	}
1572		1584
1573	/*	1585	/*
Lines 1741-1746 fill_default_options(Options * options) Link Here
1741	options->canonicalize_fallback_local = 1;	1753	options->canonicalize_fallback_local = 1;
1742	if (options->canonicalize_hostname == -1)	1754	if (options->canonicalize_hostname == -1)
1743	options->canonicalize_hostname = SSH_CANONICALISE_NO;	1755	options->canonicalize_hostname = SSH_CANONICALISE_NO;
		1756	if (options->fpt == SSH_FP_INVALID)
		1757	options->fpt = SSH_FP_MD5;
1744	#define CLEAR_ON_NONE(v) \	1758	#define CLEAR_ON_NONE(v) \
1745	do { \	1759	do { \
1746	if (option_clear_or_none(v)) { \	1760	if (option_clear_or_none(v)) { \

Lines 587-592 or Link Here

(-)a/ssh_config.5 (+10 lines)
587	.Dq no .	587	.Dq no .
588	The default is	588	The default is
589	.Dq no .	589	.Dq no .
		590	.It Cm FingerprintType
		591	Specifies the cryptographic hash function to use for keys fingeprints.
		592	The supported hashes are:
		593	.Dq md5 ,
		594	.Dq sha1
		595	and
		596	.Dq sha256 .
		597	.Pp
		598	The default is
		599	.Dq md5
590	.It Cm ForwardAgent	600	.It Cm ForwardAgent
591	Specifies whether the connection to the authentication agent (if any)	601	Specifies whether the connection to the authentication agent (if any)
592	will be forwarded to the remote machine.	602	will be forwarded to the remote machine.

Lines 807-813 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here

(-)a/sshconnect.c (-15 / +21 lines)
807	HostStatus ip_status;	807	HostStatus ip_status;
808	Key *raw_key = NULL;	808	Key *raw_key = NULL;
809	char ip = NULL, host = NULL;	809	char ip = NULL, host = NULL;
810	char hostline[1000], hostp, fp, *ra;	810	char hostline[1000], hostp, fp, fpt, ra;
811	char msg[1024];	811	char msg[1024];
812	const char *type;	812	const char *type;
813	const struct hostkey_entry host_found, ip_found;	813	const struct hostkey_entry host_found, ip_found;
Lines 914-924 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
914	"key for IP address '%.128s' to the list "	914	"key for IP address '%.128s' to the list "
915	"of known hosts.", type, ip);	915	"of known hosts.", type, ip);
916	} else if (options.visual_host_key) {	916	} else if (options.visual_host_key) {
917	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	917	fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
918	ra = key_fingerprint(host_key, SSH_FP_MD5,	918	fpt = fpt_name(options.fpt);
		919	ra = key_fingerprint(host_key, options.fpt,
919	SSH_FP_RANDOMART);	920	SSH_FP_RANDOMART);
920	logit("Host key fingerprint is %s\n%s\n", fp, ra);	921	logit("Host key fingerprint is [%s]%s\n%s\n", fpt, fp, ra);
921	free(ra);	922	free(ra);
		923	free(fpt);
922	free(fp);	924	free(fp);
923	}	925	}
924	break;	926	break;
Lines 955-962 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
955	else	957	else
956	snprintf(msg1, sizeof(msg1), ".");	958	snprintf(msg1, sizeof(msg1), ".");
957	/* The default */	959	/* The default */
958	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	960	fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
959	ra = key_fingerprint(host_key, SSH_FP_MD5,	961	fpt = fpt_name(options.fpt);
		962	ra = key_fingerprint(host_key, options.fpt,
960	SSH_FP_RANDOMART);	963	SSH_FP_RANDOMART);
961	msg2[0] = '\0';	964	msg2[0] = '\0';
962	if (options.verify_host_key_dns) {	965	if (options.verify_host_key_dns) {
Lines 972-985 check_host_key(char hostname, struct sockaddr hostaddr, u_short port, Link Here
972	snprintf(msg, sizeof(msg),	975	snprintf(msg, sizeof(msg),
973	"The authenticity of host '%.200s (%s)' can't be "	976	"The authenticity of host '%.200s (%s)' can't be "
974	"established%s\n"	977	"established%s\n"
975	"%s key fingerprint is %s.%s%s\n%s"	978	"%s key fingerprint is [%s]%s.%s%s\n%s"
976	"Are you sure you want to continue connecting "	979	"Are you sure you want to continue connecting "
977	"(yes/no)? ",	980	"(yes/no)? ",
978	host, ip, msg1, type, fp,	981	host, ip, msg1, type, fpt, fp,
979	options.visual_host_key ? "\n" : "",	982	options.visual_host_key ? "\n" : "",
980	options.visual_host_key ? ra : "",	983	options.visual_host_key ? ra : "",
981	msg2);	984	msg2);
982	free(ra);	985	free(ra);
		986	free(fpt);
983	free(fp);	987	free(fp);
984	if (!confirm(msg))	988	if (!confirm(msg))
985	goto fail;	989	goto fail;
Lines 1220-1226 verify_host_key(char host, struct sockaddr hostaddr, Key *host_key) Link Here
1220	int flags = 0;	1224	int flags = 0;
1221	char *fp;	1225	char *fp;
1222		1226
1223	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	1227	fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
1224	debug("Server host key: %s %s", key_type(host_key), fp);	1228	debug("Server host key: %s %s", key_type(host_key), fp);
1225	free(fp);	1229	free(fp);
1226		1230
Lines 1319-1325 show_other_keys(struct hostkeys hostkeys, Key key) Link Here
1319	-1	1323	-1
1320	};	1324	};
1321	int i, ret = 0;	1325	int i, ret = 0;
1322	char fp, ra;	1326	char fp, fpt, *ra;
1323	const struct hostkey_entry *found;	1327	const struct hostkey_entry *found;
1324		1328
1325	for (i = 0; type[i] != -1; i++) {	1329	for (i = 0; type[i] != -1; i++) {
Lines 1327-1343 show_other_keys(struct hostkeys hostkeys, Key key) Link Here
1327	continue;	1331	continue;
1328	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))	1332	if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
1329	continue;	1333	continue;
1330	fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);	1334	fp = key_fingerprint(found->key, options.fpt, SSH_FP_HEX);
1331	ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);	1335	fpt = fpt_name(options.fpt);
		1336	ra = key_fingerprint(found->key, options.fpt, SSH_FP_RANDOMART);
1332	logit("WARNING: %s key found for host %s\n"	1337	logit("WARNING: %s key found for host %s\n"
1333	"in %s:%lu\n"	1338	"in %s:%lu\n"
1334	"%s key fingerprint %s.",	1339	"%s key fingerprint [%s]%s.",
1335	key_type(found->key),	1340	key_type(found->key),
1336	found->host, found->file, found->line,	1341	found->host, found->file, found->line,
1337	key_type(found->key), fp);	1342	key_type(found->key), fpt, fp);
1338	if (options.visual_host_key)	1343	if (options.visual_host_key)
1339	logit("%s", ra);	1344	logit("%s", ra);
1340	free(ra);	1345	free(ra);
		1346	free(fpt);
1341	free(fp);	1347	free(fp);
1342	ret = 1;	1348	ret = 1;
1343	}	1349	}
Lines 1349-1355 warn_changed_key(Key *host_key) Link Here
1349	{	1355	{
1350	char *fp;	1356	char *fp;
1351		1357
1352	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);	1358	fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX);
1353		1359
1354	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");	1360	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
1355	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");	1361	error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");

Lines 154-160 hostbased_key_allowed(struct passwd pw, const char cuser, char *chost, Link Here

(-)a/auth2-hostbased.c (-7 / +10 lines)
154	const char resolvedname, ipaddr, lookup, reason;	154	const char resolvedname, ipaddr, lookup, reason;
155	HostStatus host_status;	155	HostStatus host_status;
156	int len;	156	int len;
157	char *fp;	157	char fp, fpt;
158		158
159	if (auth_key_is_revoked(key))	159	if (auth_key_is_revoked(key))
160	return 0;	160	return 0;
Lines 207-222 hostbased_key_allowed(struct passwd pw, const char cuser, char *chost, Link Here
207	if (host_status == HOST_OK) {	207	if (host_status == HOST_OK) {
208	if (key_is_cert(key)) {	208	if (key_is_cert(key)) {
209	fp = key_fingerprint(key->cert->signature_key,	209	fp = key_fingerprint(key->cert->signature_key,
210	SSH_FP_MD5, SSH_FP_HEX);	210	options.fpt, SSH_FP_HEX);
		211	fpt = fpt_name(options.fpt);
211	verbose("Accepted certificate ID \"%s\" signed by "	212	verbose("Accepted certificate ID \"%s\" signed by "
212	"%s CA %s from %s@%s", key->cert->key_id,	213	"%s CA [%s]%s from %s@%s", key->cert->key_id,
213	key_type(key->cert->signature_key), fp,	214	key_type(key->cert->signature_key), fpt, fp,
214	cuser, lookup);	215	cuser, lookup);
215	} else {	216	} else {
216	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);	217	fp = key_fingerprint(key, options.fpt, SSH_FP_HEX);
217	verbose("Accepted %s public key %s from %s@%s",	218	fpt = fpt_name(options.fpt);
218	key_type(key), fp, cuser, lookup);	219	verbose("Accepted %s public key [%s]%s from %s@%s",
		220	key_type(key), fpt, fp, cuser, lookup);
219	}	221	}
		222	free(fpt);
220	free(fp);	223	free(fp);
221	}	224	}
222		225

Lines 449-454 and finally Link Here

(-)a/sshd_config.5 (-1 / +10 lines)
449	See PATTERNS in	449	See PATTERNS in
450	.Xr ssh_config 5	450	.Xr ssh_config 5
451	for more information on patterns.	451	for more information on patterns.
		452	.It Cm FingerprintType
		453	Specifies the cryptographic hash function to use for keys fingeprints.
		454	The supported hashes are:
		455	.Dq md5 ,
		456	.Dq sha1
		457	and
		458	.Dq sha256 .
		459	.Pp
		460	The default is
		461	.Dq md5
452	.It Cm ForceCommand	462	.It Cm ForceCommand
453	Forces the execution of the command specified by	463	Forces the execution of the command specified by
454	.Cm ForceCommand ,	464	.Cm ForceCommand ,
455	-