Page MenuHome GnuPG
Create Task
Maniphest T2106

Support SHA-256 fingerprints for ssh
Closed, ResolvedPublic
Actions

Description

OpenSSH now uses a SHA-256 fingerprint; we should support it. See also T2075

Details

Version
2.1

Revisions and Commits

rG GnuPG
rG525f2c482abb agent: Make digest algorithms for ssh fingerprints configurable.
rGa5f046d99a08 agent: Write both ssh fingerprints to 'sshcontrol' file.
rG3a07a69dfc87 common: Correctly render SHA256-based ssh fingerprints.
rG3ac1a9d3a018 common: Support different digest algorithms for ssh fingerprints.

Related Objects

Event Timeline

werner renamed this task from Support SHA-256 fingerrpitns for ssh to Support SHA-256 fingerprints for ssh.Sep 22 2015, 9:39 AM
werner set Version to 2.1.
werner added projects: Feature Request, ssh, gnupg.
werner added a subscriber: werner.
werner mentioned this in T2075: gpg-agent comments in sshcontrol for do not match ssh.Mar 30 2017, 7:16 PM
justus claimed this task.Dec 3 2015, 5:19 PM
justus added a subscriber: justus.
justus added a comment.Dec 4 2015, 3:49 PM

I generalized the ssh key fingerprinting code so that we can select the digest algorithm.

Now I'm a little unsure how to proceed. We can easily include both the MD5 and the SHA256 digest
in the sshcontrol file. But what shall we use for expanding '%F' in key descriptions? If we
transition too soon or too late, users might not recognize their key. Displaying both surely is
too verbose. We could make it configurable, or at least a compile time option.

What do you think?

werner added a comment.Dec 9 2015, 3:11 PM

6.7 still shows MD5 fingerprints thus switching won't be easy. Does the SHA-256
fingerprint use Base32? If that is the case it might be a serious UX problem
because most people are used to look for colon separated hex digits.

justus added a comment.Dec 14 2015, 11:56 AM

It seems to be base64:

% ssh -V
OpenSSH_7.1p1 Debian-3, OpenSSL 1.0.2e 3 Dec 2015
% ssh-keygen -l -f .ssh/known_hosts -F playfair.gnupg.org -E md5 -q
playfair.gnupg.org RSA MD5:cc:dd:46:8e:ef:3d:d9:34:97:f8:b8:5a:59:51:80:4a
% ssh-keygen -l -f .ssh/known_hosts -F playfair.gnupg.org -E sha256 -q
playfair.gnupg.org RSA SHA256:KCh034SD0rMKqCkJbdH2wx354s1278tqt9F+xb5cidg

gniibe added a subscriber: gniibe.Dec 16 2015, 2:45 AM

It is base64 trimmed the last '='.

Introducing new specifier, say %f, would be good, while keeping %F as is.
%f includes the hash algorithm string as SSH does.

werner added a comment.Dec 18 2015, 5:20 PM

That fingerprint looks more like gibberish than something which should be
compared by the user. In that regard a SHA-1 fingerprint looks much more
serious and IMHO will be more secure than a base-64 fingerprint where you have
to explain that the users also need to match the case - if they are at all able
to compare that fingerprint.

We should take this to the mailing list.

werner added a comment.Jan 6 2017, 5:47 PM

Adding %f does not help much because it is only used internally. I would be in
favor of adding an ssh-key-mode option so that the user can select the hash algo
and the output format.

werner added a project: gnupg (gpg22).Jan 6 2017, 5:47 PM
justus moved this task from Backlog to Wishlist on the gnupg (gpg22) board.May 24 2017, 1:17 PM
justus closed this task as Resolved.May 24 2017, 6:13 PM

Fixed as of 525f2c482abb6bc2002eb878b03558fb43e6b004.

justus added a commit: rG3ac1a9d3a018: common: Support different digest algorithms for ssh fingerprints..May 24 2017, 6:13 PM
justus added a commit: rG3a07a69dfc87: common: Correctly render SHA256-based ssh fingerprints..
justus added a commit: rGa5f046d99a08: agent: Write both ssh fingerprints to 'sshcontrol' file..
justus added a commit: rG525f2c482abb: agent: Make digest algorithms for ssh fingerprints configurable..