Bug 3493 - ssh-keyscan -D has no option to disable SHA-1 digest
Summary: ssh-keyscan -D has no option to disable SHA-1 digest
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keyscan (show other bugs)
Version: 9.1p1
Hardware: Other Linux
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_9_3
  Show dependency treegraph
 
Reported: 2022-10-31 22:27 AEDT by Petr Menšík
Modified: 2023-03-17 13:42 AEDT (History)
3 users (show)

See Also:

Attachments
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan (6.34 KB, patch)
2023-02-10 14:11 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Menšík 2022-10-31 22:27:48 AEDT 
I would like to omit SHA1 digest from any records generated for SSHFP records. I want only more secure digest. But even in the latest version is always prints both digest types. The only way out is grepping out unwanted digest, which is not convenient.

I would like to have more simple way to select only SHA256 digest or disable SHA1.
Comment 1 HLFH 2022-12-09 01:56:46 AEDT 
Yes selecting only the SHA256 digest would be great.
Comment 2 Damien Miller 2023-02-10 14:11:51 AEDT 
Created attachment 3663 [details]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan
Comment 3 Darren Tucker 2023-02-10 14:48:27 AEDT 
Comment on attachment 3663 [details]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan

Should have a regression test?
Comment 4 Damien Miller 2023-02-10 16:06:39 AEDT 
This has been committed and will be in OpenSSH 9.3 (regress test too)
Comment 5 Damien Miller 2023-03-17 13:42:26 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs