Skip to content

Use SHA256 instead of MD5 for key fingerprints#37

Open
tobhe wants to merge 1 commit into
jbeverly:masterfrom
tobhe:fingerprint
Open

Use SHA256 instead of MD5 for key fingerprints#37
tobhe wants to merge 1 commit into
jbeverly:masterfrom
tobhe:fingerprint

Conversation

@tobhe

@tobhe tobhe commented Mar 16, 2022
edited
Loading

Copy link
Copy Markdown

We ran into problems using this module when running in FIPS mode. MD5 is not allowed with FIPS and in general probably not a good idea to use for key fingerprints anymore.

I propose switching to SHA256 which upstream OpenSSH appears to use by default since OpenSSH 6.8. The PR also changes the format of SSH fingerprints from hex encoding to base64 with appended hash name for compatibility with upstream fingerprints.

@tobhe tobhe force-pushed the fingerprint branch 2 times, most recently from 15962a7 to e9098db Compare March 16, 2022 11:29
@tobhe
Use SHA256 instead of MD5 for key fingerprints
86fb1d7 
Adopt upstream OpenSSH switch to default to SHA256 fingerprints.
Switch fingerprint encoding to base64 and append hash name to
conform with upstream format since OpenSSH 6.8.
@tobhe

tobhe commented Mar 16, 2022

Copy link
Copy Markdown
Author

Here is a little before and after from my last round of tests.
With md5 and hex encoding:

pam_ssh_agent_auth: Found matching RSA key: c9:20:ff:09:15:7b:a2:e6:59:e3:a7:4a:60:0c:4f:61:1a:60:07:c9:d2:98:76:7f:71:4f:2f:d2:fc:00:c1:7d

vs sha256 in base64:

pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0

Which now matches the output of $ ssh-keygen -lf ~/.ssh/id_rsa.pub:

4096 SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 (RSA)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tobhe