Bug 1249626 - openssh: should print both new and legacy fingerprints
Summary: openssh: should print both new and legacy fingerprints
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-03 12:39 UTC by Florian Weimer
Modified: 2015-09-01 23:22 UTC (History)
6 users (show)

Fixed In Version: 6.9p1-6.fc22.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-26 04:32:40 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 2439 0 None None None Never

Description Florian Weimer 2015-08-03 12:39:10 UTC
The new SHA-256/base64 fingerprints are not compatible with older systems such as Red Hat Enterprise Linux 7.  Rather than providing no interoperable fingerprint all (so that users are encouraged to blindly type “yes”), the ssh client should print both the new-style and old-style fingerprints, so that there is still a simple way to verify the fingerprint.

This suggestion applies to openssh-6.9p1-2.fc22.

Comment 1 Jakub Jelen 2015-08-05 13:02:06 UTC
Thank you for this idea. There is still the client config option FingerprintHash, which you can set back to md5 to get the original behaviour and the same fingerprint as in the older openssh versions. But as we are deprecating md5 I don't think it is good idea to use this as default.

The option can be quite easily used like this:
  $ ssh github.com -oFingerprintHash=md5
  [...]
  RSA key fingerprint is MD5:16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.


But it sounds reasonable to have possibility to show both versions at least for some transition time, before at least some servers will switch over, since this is pushing users to ignore the fingerprints even more then before.

I can think about default client option with list "sha256,md5" (both) which would cause printing both PF. This would require some changes in code, but I will try to prepare some patch with upstream.

Comment 2 Fedora Update System 2015-08-19 14:55:29 UTC
openssh-7.0p1-2.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/openssh-7.0p1-2.fc23

Comment 3 Fedora Update System 2015-08-22 02:51:27 UTC
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13814

Comment 4 Fedora Update System 2015-08-22 16:26:02 UTC
openssh-7.0p1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/openssh-7.0p1-2.fc23

Comment 5 Fedora Update System 2015-08-23 22:20:00 UTC
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update openssh'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13999

Comment 6 Fedora Update System 2015-08-26 04:32:37 UTC
openssh-7.1p1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-09-01 23:22:42 UTC
openssh-6.9p1-6.fc22.1 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.