Bug 3493 - ssh-keyscan -D has no option to disable SHA-1 digest
Summary: ssh-keyscan -D has no option to disable SHA-1 digest
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keyscan (show other bugs)
Version: 9.1p1
Hardware: Other Linux
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_9_3
  Show dependency treegraph
 
Reported: 2022-10-31 22:27 AEDT by Petr Menšík
Modified: 2023-03-17 13:42 AEDT (History)
3 users (show)

See Also:


Attachments
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan (6.34 KB, patch)
2023-02-10 14:11 AEDT, Damien Miller
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Menšík 2022-10-31 22:27:48 AEDT
I would like to omit SHA1 digest from any records generated for SSHFP records. I want only more secure digest. But even in the latest version is always prints both digest types. The only way out is grepping out unwanted digest, which is not convenient.

I would like to have more simple way to select only SHA256 digest or disable SHA1.
Comment 1 HLFH 2022-12-09 01:56:46 AEDT
Yes selecting only the SHA256 digest would be great.
Comment 2 Damien Miller 2023-02-10 14:11:51 AEDT
Created attachment 3663 [details]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan
Comment 3 Darren Tucker 2023-02-10 14:48:27 AEDT
Comment on attachment 3663 [details]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan

Should have a regression test?
Comment 4 Damien Miller 2023-02-10 16:06:39 AEDT
This has been committed and will be in OpenSSH 9.3 (regress test too)
Comment 5 Damien Miller 2023-03-17 13:42:26 AEDT
OpenSSH 9.3 has been released. Close resolved bugs