Bugzilla – Attachment 2429 Details for
Bug 1872
Support better hash algorithms for key fingerprints (FIPS compat)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add FingerprintType flag to ssh and sshd which is used to specify used fingerprint for keys
0001-add-FingerprintType-flag-to-ssh-and-sshd-which-is-us.patch (text/plain), 21.43 KB, created by
Petr Lautrbach
on 2014-04-18 21:35:45 AEST
(
hide
)
Description:
add FingerprintType flag to ssh and sshd which is used to specify used fingerprint for keys
Filename:
MIME Type:
Creator:
Petr Lautrbach
Created:
2014-04-18 21:35:45 AEST
Size:
21.43 KB
patch
obsolete
>From 964e650ca21a8d7184a13239919cfc3023b724ee Mon Sep 17 00:00:00 2001 >From: Petr Lautrbach <plautrba@redhat.com> >Date: Fri, 18 Apr 2014 13:29:25 +0200 >Subject: [PATCH 1/2] add FingerprintType flag to ssh and sshd which is used to > specify used fingerprint for keys > >--- > auth-rsa.c | 10 ++++++---- > auth.c | 8 +++++--- > auth2-hostbased.c | 17 ++++++++++------- > auth2-pubkey.c | 54 +++++++++++++++++++++++++++++++++--------------------- > key.c | 30 ++++++++++++++++++++++++++++++ > key.h | 9 ++++++++- > readconf.c | 16 +++++++++++++++- > readconf.h | 2 ++ > servconf.c | 16 +++++++++++++++- > servconf.h | 3 +++ > ssh_config | 1 + > ssh_config.5 | 10 ++++++++++ > sshconnect.c | 36 +++++++++++++++++++++--------------- > sshconnect2.c | 16 ++++++++++------ > sshd_config | 2 ++ > sshd_config.5 | 10 ++++++++++ > 16 files changed, 181 insertions(+), 59 deletions(-) > >diff --git a/auth-rsa.c b/auth-rsa.c >index 5dad6c3..1876cb6 100644 >--- a/auth-rsa.c >+++ b/auth-rsa.c >@@ -168,7 +168,7 @@ static int > rsa_key_allowed_in_file(struct passwd *pw, char *file, > const BIGNUM *client_n, Key **rkey) > { >- char *fp, line[SSH_MAX_PUBKEY_BYTES]; >+ char *fp, *fpt, line[SSH_MAX_PUBKEY_BYTES]; > int allowed = 0, bits; > FILE *f; > u_long linenum = 0; >@@ -235,9 +235,11 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, > "actual %d vs. announced %d.", > file, linenum, BN_num_bits(key->rsa->n), bits); > >- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >- debug("matching key found: file %s, line %lu %s %s", >- file, linenum, key_type(key), fp); >+ fp = key_fingerprint(key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ debug("matching key found: file %s, line %lu %s [%s]%s", >+ file, linenum, key_type(key), fpt, fp); >+ free(fpt); > free(fp); > > /* Never accept a revoked key */ >diff --git a/auth.c b/auth.c >index 9a36f1d..74b0177 100644 >--- a/auth.c >+++ b/auth.c >@@ -659,7 +659,7 @@ getpwnamallow(const char *user) > int > auth_key_is_revoked(Key *key) > { >- char *key_fp; >+ char *key_fp, *key_fpt; > > if (options.revoked_keys_file == NULL) > return 0; >@@ -685,9 +685,11 @@ auth_key_is_revoked(Key *key) > case 1: > revoked: > /* Key revoked */ >- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >+ key_fp = key_fingerprint(key, options.fpt, SSH_FP_HEX); >+ key_fpt = fpt_name(options.fpt); > error("WARNING: authentication attempt with a revoked " >- "%s key %s ", key_type(key), key_fp); >+ "%s key [%s]%s ", key_type(key), key_fpt, key_fp); >+ free(key_fpt); > free(key_fp); > return 1; > } >diff --git a/auth2-hostbased.c b/auth2-hostbased.c >index 488008f..231f0fe 100644 >--- a/auth2-hostbased.c >+++ b/auth2-hostbased.c >@@ -154,7 +154,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, > const char *resolvedname, *ipaddr, *lookup, *reason; > HostStatus host_status; > int len; >- char *fp; >+ char *fp, *fpt; > > if (auth_key_is_revoked(key)) > return 0; >@@ -207,16 +207,19 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, > if (host_status == HOST_OK) { > if (key_is_cert(key)) { > fp = key_fingerprint(key->cert->signature_key, >- SSH_FP_MD5, SSH_FP_HEX); >+ options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); > verbose("Accepted certificate ID \"%s\" signed by " >- "%s CA %s from %s@%s", key->cert->key_id, >- key_type(key->cert->signature_key), fp, >+ "%s CA [%s]%s from %s@%s", key->cert->key_id, >+ key_type(key->cert->signature_key), fpt, fp, > cuser, lookup); > } else { >- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >- verbose("Accepted %s public key %s from %s@%s", >- key_type(key), fp, cuser, lookup); >+ fp = key_fingerprint(key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ verbose("Accepted %s public key [%s]%s from %s@%s", >+ key_type(key), fpt, fp, cuser, lookup); > } >+ free(fpt); > free(fp); > } > >diff --git a/auth2-pubkey.c b/auth2-pubkey.c >index 0fd27bb..dbd3ad6 100644 >--- a/auth2-pubkey.c >+++ b/auth2-pubkey.c >@@ -198,7 +198,7 @@ done: > void > pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) > { >- char *fp, *extra; >+ char *fp, *fpt, *extra; > va_list ap; > int i; > >@@ -213,17 +213,21 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) > > if (key_is_cert(key)) { > fp = key_fingerprint(key->cert->signature_key, >- SSH_FP_MD5, SSH_FP_HEX); >- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", >+ options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ auth_info(authctxt, "%s ID %s (serial %llu) CA %s [%s]%s%s%s", > key_type(key), key->cert->key_id, > (unsigned long long)key->cert->serial, >- key_type(key->cert->signature_key), fp, >+ key_type(key->cert->signature_key), fpt, fp, > extra == NULL ? "" : ", ", extra == NULL ? "" : extra); >+ free(fpt); > free(fp); > } else { >- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >- auth_info(authctxt, "%s %s%s%s", key_type(key), fp, >+ fp = key_fingerprint(key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ auth_info(authctxt, "%s [%s]%s%s%s", key_type(key), fpt, fp, > extra == NULL ? "" : ", ", extra == NULL ? "" : extra); >+ free(fpt); > free(fp); > } > free(extra); >@@ -319,7 +323,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > int found_key = 0; > u_long linenum = 0; > Key *found; >- char *fp; >+ char *fp, *fpt; > > found_key = 0; > >@@ -365,10 +369,11 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > continue; > if (!key_is_cert_authority) > continue; >- fp = key_fingerprint(found, SSH_FP_MD5, >+ fp = key_fingerprint(found, options.fpt, > SSH_FP_HEX); >- debug("matching CA found: file %s, line %lu, %s %s", >- file, linenum, key_type(found), fp); >+ fpt = fpt_name(options.fpt); >+ debug("matching CA found: file %s, line %lu, %s [%s]%s", >+ file, linenum, key_type(found), fpt, fp); > /* > * If the user has specified a list of principals as > * a key option, then prefer that list to matching >@@ -380,6 +385,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > reason = "Certificate does not contain an " > "authorized principal"; > fail_reason: >+ free(fpt); > free(fp); > error("%s", reason); > auth_debug_add("%s", reason); >@@ -390,12 +396,14 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > &reason) != 0) > goto fail_reason; > if (auth_cert_options(key, pw) != 0) { >+ free(fpt); > free(fp); > continue; > } > verbose("Accepted certificate ID \"%s\" " >- "signed by %s CA %s via %s", key->cert->key_id, >- key_type(found), fp, file); >+ "signed by %s CA [%s]%s via %s", key->cert->key_id, >+ key_type(found), fpt, fp, file); >+ free(fpt); > free(fp); > found_key = 1; > break; >@@ -406,9 +414,11 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > if (key_is_cert_authority) > continue; > found_key = 1; >- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); >- debug("matching key found: file %s, line %lu %s %s", >- file, linenum, key_type(found), fp); >+ fp = key_fingerprint(found, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ debug("matching key found: file %s, line %lu %s [%s]%s", >+ file, linenum, key_type(found), fpt, fp); >+ free(fpt); > free(fp); > break; > } >@@ -424,7 +434,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) > static int > user_cert_trusted_ca(struct passwd *pw, Key *key) > { >- char *ca_fp, *principals_file = NULL; >+ char *ca_fp, *ca_fpt, *principals_file = NULL; > const char *reason; > int ret = 0; > >@@ -432,12 +442,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) > return 0; > > ca_fp = key_fingerprint(key->cert->signature_key, >- SSH_FP_MD5, SSH_FP_HEX); >+ options.fpt, SSH_FP_HEX); >+ ca_fpt = fpt_name(options.fpt); > > if (key_in_file(key->cert->signature_key, > options.trusted_user_ca_keys, 1) != 1) { >- debug2("%s: CA %s %s is not listed in %s", __func__, >- key_type(key->cert->signature_key), ca_fp, >+ debug2("%s: CA %s [%s]%s is not listed in %s", __func__, >+ key_type(key->cert->signature_key), ca_fpt, ca_fp, > options.trusted_user_ca_keys); > goto out; > } >@@ -462,13 +473,14 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) > if (auth_cert_options(key, pw) != 0) > goto out; > >- verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", >- key->cert->key_id, key_type(key->cert->signature_key), ca_fp, >+ verbose("Accepted certificate ID \"%s\" signed by %s CA [%s]%s via %s", >+ key->cert->key_id, key_type(key->cert->signature_key), ca_fpt, ca_fp, > options.trusted_user_ca_keys); > ret = 1; > > out: > free(principals_file); >+ free(ca_fpt); > free(ca_fp); > return ret; > } >diff --git a/key.c b/key.c >index 168e1b7..c529499 100644 >--- a/key.c >+++ b/key.c >@@ -61,6 +61,18 @@ > static int to_blob(const Key *, u_char **, u_int *, int); > static Key *key_from_blob2(const u_char *, u_int, int); > >+struct FPT { >+ char *name; >+ int type; >+}; >+ >+static const struct FPT fpts[] = { >+ { "md5", SSH_FP_MD5}, >+ { "sha1", SSH_FP_SHA1}, >+ { "sha256", SSH_FP_SHA256}, >+ { NULL, SSH_FP_INVALID}, >+}; >+ > static struct KeyCert * > cert_new(void) > { >@@ -76,6 +88,24 @@ cert_new(void) > return cert; > } > >+int >+fpt_type(const char *name) { >+ const FPT *fpt; >+ for (fpt = fpts; fpt->name != NULL; fpt++) >+ if (strcmp(fpt->name, name) == 0) >+ return fpt->type; >+ return SSH_FP_INVALID; >+} >+ >+char * >+fpt_name(const int type) { >+ const FPT *fpt; >+ for (fpt = fpts; fpt->name != NULL; fpt++) >+ if (fpt->type == type) >+ return xstrdup(fpt->name); >+ return NULL; >+} >+ > Key * > key_new(int type) > { >diff --git a/key.h b/key.h >index d8ad13d..f01df87 100644 >--- a/key.h >+++ b/key.h >@@ -51,7 +51,8 @@ enum types { > enum fp_type { > SSH_FP_SHA1, > SSH_FP_MD5, >- SSH_FP_SHA256 >+ SSH_FP_SHA256, >+ SSH_FP_INVALID = -1 > }; > enum fp_rep { > SSH_FP_HEX, >@@ -59,6 +60,10 @@ enum fp_rep { > SSH_FP_RANDOMART > }; > >+typedef struct FPT FPT; >+ >+struct FPT; >+ > /* key is stored in external hardware */ > #define KEY_FLAG_EXT 0x0001 > >@@ -95,6 +100,8 @@ struct Key { > #define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES > #define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES > >+int fpt_type(const char *); >+char *fpt_name(int); > Key *key_new(int); > void key_add_private(Key *); > Key *key_new_private(int); >diff --git a/readconf.c b/readconf.c >index dc884c9..c4d2b6e 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -148,7 +148,7 @@ typedef enum { > oVisualHostKey, oUseRoaming, > oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, > oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, >- oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, >+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oFingerprintType, > oIgnoredUnknownOption, oDeprecated, oUnsupported > } OpCodes; > >@@ -261,6 +261,7 @@ static struct { > { "canonicalizehostname", oCanonicalizeHostname }, > { "canonicalizemaxdots", oCanonicalizeMaxDots }, > { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, >+ { "fingerprinttype", oFingerprintType }, > { "ignoreunknown", oIgnoreUnknown }, > > { NULL, oBadOption } >@@ -1394,6 +1395,16 @@ parse_int: > intptr = &options->canonicalize_fallback_local; > goto parse_flag; > >+ case oFingerprintType: >+ arg = strdelim(&s); >+ value = fpt_type(arg); >+ if (value == SSH_FP_INVALID) >+ fatal("%.200s line %d: unsupported fingerprint type '%s'", >+ filename, linenum, arg ? arg : "<NONE>"); >+ if (*activep && options->fpt == SSH_FP_INVALID) >+ options->fpt = value; >+ break; >+ > case oDeprecated: > debug("%s line %d: Deprecated option \"%s\"", > filename, linenum, keyword); >@@ -1568,6 +1579,7 @@ initialize_options(Options * options) > options->canonicalize_max_dots = -1; > options->canonicalize_fallback_local = -1; > options->canonicalize_hostname = -1; >+ options->fpt = SSH_FP_INVALID; > } > > /* >@@ -1741,6 +1753,8 @@ fill_default_options(Options * options) > options->canonicalize_fallback_local = 1; > if (options->canonicalize_hostname == -1) > options->canonicalize_hostname = SSH_CANONICALISE_NO; >+ if (options->fpt == SSH_FP_INVALID) >+ options->fpt = SSH_FP_MD5; > #define CLEAR_ON_NONE(v) \ > do { \ > if (option_clear_or_none(v)) { \ >diff --git a/readconf.h b/readconf.h >index 75e3f8f..8abac98 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -104,6 +104,8 @@ typedef struct { > int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; > Key *identity_keys[SSH_MAX_IDENTITY_FILES]; > >+ int fpt; /* FingerprintType */ >+ > /* Local TCP/IP forward requests. */ > int num_local_forwards; > Forward *local_forwards; >diff --git a/servconf.c b/servconf.c >index 7ba65d5..7c72d15 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -153,6 +153,7 @@ initialize_server_options(ServerOptions *options) > options->ip_qos_interactive = -1; > options->ip_qos_bulk = -1; > options->version_addendum = NULL; >+ options->fpt = SSH_FP_INVALID; > } > > void >@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options) > options->compression = 0; > } > #endif >+ if (options->fpt == SSH_FP_INVALID) >+ options->fpt = SSH_FP_MD5; > > } > >@@ -347,7 +350,7 @@ typedef enum { > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, > sKexAlgorithms, sIPQoS, sVersionAddendum, > sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, >- sAuthenticationMethods, sHostKeyAgent, >+ sAuthenticationMethods, sHostKeyAgent, sFingerprintType, > sDeprecated, sUnsupported > } ServerOpCodes; > >@@ -474,6 +477,7 @@ static struct { > { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, > { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, > { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, >+ { "fingerprinttype", sFingerprintType }, > { NULL, sBadOption, 0 } > }; > >@@ -1620,6 +1624,16 @@ process_server_config_line(ServerOptions *options, char *line, > } > return 0; > >+ case sFingerprintType: >+ arg = strdelim(&cp); >+ value = fpt_type(arg); >+ if (value == SSH_FP_INVALID) >+ fatal("%.200s line %d: unsupported fingerprint type '%s'", >+ filename, linenum, arg ? arg : "<NONE>"); >+ if (*activep && options->fpt == SSH_FP_INVALID) >+ options->fpt = value; >+ break; >+ > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); >diff --git a/servconf.h b/servconf.h >index 752d1c5..ff8b0f3 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -183,6 +183,9 @@ typedef struct { > > u_int num_auth_methods; > char *auth_methods[MAX_AUTH_METHODS]; >+ >+ int fpt; /* FingerprintType */ >+ > } ServerOptions; > > /* Information about the incoming connection as used by Match */ >diff --git a/ssh_config b/ssh_config >index 03a228f..625a771 100644 >--- a/ssh_config >+++ b/ssh_config >@@ -31,6 +31,7 @@ > # AddressFamily any > # ConnectTimeout 0 > # StrictHostKeyChecking ask >+# FingerprintType sha256 > # IdentityFile ~/.ssh/identity > # IdentityFile ~/.ssh/id_rsa > # IdentityFile ~/.ssh/id_dsa >diff --git a/ssh_config.5 b/ssh_config.5 >index b580392..9f8f38b 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -587,6 +587,16 @@ or > .Dq no . > The default is > .Dq no . >+.It Cm FingerprintType >+Specifies the cryptographic hash function to use for keys fingeprints. >+The supported hashes are: >+.Dq md5 , >+.Dq sha1 >+and >+.Dq sha256 . >+.Pp >+The default is >+.Dq md5 > .It Cm ForwardAgent > Specifies whether the connection to the authentication agent (if any) > will be forwarded to the remote machine. >diff --git a/sshconnect.c b/sshconnect.c >index 573d7a8..f10452a 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -807,7 +807,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > HostStatus ip_status; > Key *raw_key = NULL; > char *ip = NULL, *host = NULL; >- char hostline[1000], *hostp, *fp, *ra; >+ char hostline[1000], *hostp, *fp, *fpt, *ra; > char msg[1024]; > const char *type; > const struct hostkey_entry *host_found, *ip_found; >@@ -914,11 +914,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > "key for IP address '%.128s' to the list " > "of known hosts.", type, ip); > } else if (options.visual_host_key) { >- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); >- ra = key_fingerprint(host_key, SSH_FP_MD5, >+ fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ ra = key_fingerprint(host_key, options.fpt, > SSH_FP_RANDOMART); >- logit("Host key fingerprint is %s\n%s\n", fp, ra); >+ logit("Host key fingerprint is [%s]%s\n%s\n", fpt, fp, ra); > free(ra); >+ free(fpt); > free(fp); > } > break; >@@ -955,8 +957,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > else > snprintf(msg1, sizeof(msg1), "."); > /* The default */ >- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); >- ra = key_fingerprint(host_key, SSH_FP_MD5, >+ fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ ra = key_fingerprint(host_key, options.fpt, > SSH_FP_RANDOMART); > msg2[0] = '\0'; > if (options.verify_host_key_dns) { >@@ -972,14 +975,15 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, > snprintf(msg, sizeof(msg), > "The authenticity of host '%.200s (%s)' can't be " > "established%s\n" >- "%s key fingerprint is %s.%s%s\n%s" >+ "%s key fingerprint is [%s]%s.%s%s\n%s" > "Are you sure you want to continue connecting " > "(yes/no)? ", >- host, ip, msg1, type, fp, >+ host, ip, msg1, type, fpt, fp, > options.visual_host_key ? "\n" : "", > options.visual_host_key ? ra : "", > msg2); > free(ra); >+ free(fpt); > free(fp); > if (!confirm(msg)) > goto fail; >@@ -1220,7 +1224,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) > int flags = 0; > char *fp; > >- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); >+ fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX); > debug("Server host key: %s %s", key_type(host_key), fp); > free(fp); > >@@ -1319,7 +1323,7 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) > -1 > }; > int i, ret = 0; >- char *fp, *ra; >+ char *fp, *fpt, *ra; > const struct hostkey_entry *found; > > for (i = 0; type[i] != -1; i++) { >@@ -1327,17 +1331,19 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) > continue; > if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) > continue; >- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); >- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); >+ fp = key_fingerprint(found->key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ ra = key_fingerprint(found->key, options.fpt, SSH_FP_RANDOMART); > logit("WARNING: %s key found for host %s\n" > "in %s:%lu\n" >- "%s key fingerprint %s.", >+ "%s key fingerprint [%s]%s.", > key_type(found->key), > found->host, found->file, found->line, >- key_type(found->key), fp); >+ key_type(found->key), fpt, fp); > if (options.visual_host_key) > logit("%s", ra); > free(ra); >+ free(fpt); > free(fp); > ret = 1; > } >@@ -1349,7 +1355,7 @@ warn_changed_key(Key *host_key) > { > char *fp; > >- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); >+ fp = key_fingerprint(host_key, options.fpt, SSH_FP_HEX); > > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); > error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); >diff --git a/sshconnect2.c b/sshconnect2.c >index 7f4ff41..4b29cc6 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -542,7 +542,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) > Buffer b; > int pktype, sent = 0; > u_int alen, blen; >- char *pkalg, *fp; >+ char *pkalg, *fp, *fpt; > u_char *pkblob; > > if (authctxt == NULL) >@@ -577,8 +577,10 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) > key->type, pktype); > goto done; > } >- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); >- debug2("input_userauth_pk_ok: fp %s", fp); >+ fp = key_fingerprint(key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ debug2("input_userauth_pk_ok: fp [%s]%s", fpt, fp); >+ free(fpt); > free(fp); > > /* >@@ -984,10 +986,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) > u_int skip = 0; > int ret = -1; > int have_sig = 1; >- char *fp; >+ char *fp, *fpt; > >- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); >- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); >+ fp = key_fingerprint(id->key, options.fpt, SSH_FP_HEX); >+ fpt = fpt_name(options.fpt); >+ debug3("sign_and_send_pubkey: %s [%s]%s", key_type(id->key), fpt, fp); >+ free(fpt); > free(fp); > > if (key_to_blob(id->key, &blob, &bloblen) == 0) { >diff --git a/sshd_config b/sshd_config >index e9045bc..e459b4c 100644 >--- a/sshd_config >+++ b/sshd_config >@@ -58,6 +58,8 @@ AuthorizedKeysFile .ssh/authorized_keys > #AuthorizedKeysCommand none > #AuthorizedKeysCommandUser nobody > >+#FingerprintType sha256 >+ > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 >diff --git a/sshd_config.5 b/sshd_config.5 >index ce71efe..49e7efb 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -449,6 +449,16 @@ and finally > See PATTERNS in > .Xr ssh_config 5 > for more information on patterns. >+.It Cm FingerprintType >+Specifies the cryptographic hash function to use for keys fingeprints. >+The supported hashes are: >+.Dq md5 , >+.Dq sha1 >+and >+.Dq sha256 . >+.Pp >+The default is >+.Dq md5 > .It Cm ForceCommand > Forces the execution of the command specified by > .Cm ForceCommand , >-- >1.8.3.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2429">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1872
:
2006
|
2007
|
2429
|
2518