Bug 3493

Summary: ssh-keyscan -D has no option to disable SHA-1 digest
Product: Portable OpenSSH Reporter: Petr Menšík <pemensik>
Component: ssh-keyscanAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm, dtucker, gaspard
Priority: P5    
Version: 9.1p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 3533    
Attachments:
Description Flags
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan dtucker: ok+

Description Petr Menšík 2022-10-31 22:27:48 AEDT 
I would like to omit SHA1 digest from any records generated for SSHFP records. I want only more secure digest. But even in the latest version is always prints both digest types. The only way out is grepping out unwanted digest, which is not convenient.

I would like to have more simple way to select only SHA256 digest or disable SHA1.
Comment 1 HLFH 2022-12-09 01:56:46 AEDT 
Yes selecting only the SHA256 digest would be great.
Comment 2 Damien Miller 2023-02-10 14:11:51 AEDT 
Created attachment 3663 [details]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan
Comment 3 Darren Tucker 2023-02-10 14:48:27 AEDT 
Comment on attachment 3663 [details]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan

Should have a regression test?
Comment 4 Damien Miller 2023-02-10 16:06:39 AEDT 
This has been committed and will be in OpenSSH 9.3 (regress test too)
Comment 5 Damien Miller 2023-03-17 13:42:26 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs