Bug 1249626 - openssh: should print both new and legacy fingerprints
openssh: should print both new and legacy fingerprints
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jakub Jelen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-03 08:39 EDT by Florian Weimer
Modified: 2015-09-01 19:22 EDT (History)
6 users (show)

See Also:
Fixed In Version: 6.9p1-6.fc22.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-26 00:32:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 2439 None None None Never

  None (edit)
Description Florian Weimer 2015-08-03 08:39:10 EDT
The new SHA-256/base64 fingerprints are not compatible with older systems such as Red Hat Enterprise Linux 7.  Rather than providing no interoperable fingerprint all (so that users are encouraged to blindly type “yes”), the ssh client should print both the new-style and old-style fingerprints, so that there is still a simple way to verify the fingerprint.

This suggestion applies to openssh-6.9p1-2.fc22.
Comment 1 Jakub Jelen 2015-08-05 09:02:06 EDT
Thank you for this idea. There is still the client config option FingerprintHash, which you can set back to md5 to get the original behaviour and the same fingerprint as in the older openssh versions. But as we are deprecating md5 I don't think it is good idea to use this as default.

The option can be quite easily used like this:
  $ ssh github.com -oFingerprintHash=md5
  [...]
  RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.


But it sounds reasonable to have possibility to show both versions at least for some transition time, before at least some servers will switch over, since this is pushing users to ignore the fingerprints even more then before.

I can think about default client option with list "sha256,md5" (both) which would cause printing both PF. This would require some changes in code, but I will try to prepare some patch with upstream.
Comment 2 Fedora Update System 2015-08-19 10:55:29 EDT
openssh-7.0p1-2.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/openssh-7.0p1-2.fc23
Comment 3 Fedora Update System 2015-08-21 22:51:27 EDT
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13814
Comment 4 Fedora Update System 2015-08-22 12:26:02 EDT
openssh-7.0p1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/openssh-7.0p1-2.fc23
Comment 5 Fedora Update System 2015-08-23 18:20:00 EDT
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13999
Comment 6 Fedora Update System 2015-08-26 00:32:37 EDT
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-09-01 19:22:42 EDT
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.