You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Goldstein Lyor (JIRA)" <ji...@apache.org> on 2015/11/15 14:00:12 UTC

[jira] [Commented] (SSHD-586) openssh compliant public key fingerprint

    [ https://issues.apache.org/jira/browse/SSHD-586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005877#comment-15005877 ] 

Goldstein Lyor commented on SSHD-586:
-------------------------------------

According to [RFC4716 - Key fingerprints|https://tools.ietf.org/html/rfc4716#page-6]:
{quote}
The fingerprint of a public key consists of the output of the MD5 message-digest algorithm. For example: "c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87"
{quote}

* As far as generating a non-MD5 fingerprint, the _KeyUtils_ class provides such a method - the one you indicated - which does not add the name of the digest.
* As far as formatting - the most I can do is suggest adding a system property that controls the default used fingerprint digest as well as its format. If you wish to undertake this task, please submit a patch.

> openssh compliant public key fingerprint
> ----------------------------------------
>
>                 Key: SSHD-586
>                 URL: https://issues.apache.org/jira/browse/SSHD-586
>             Project: MINA SSHD
>          Issue Type: Improvement
>    Affects Versions: 1.1.0
>            Reporter: Alon Bar-Lev
>
> Hello,
> The apache-sshd always assumes fingerprint as hex string ':' separated.
> While openssh public key fingerprint differs, here are some examples:
> $ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub 
> 2048 MD5:1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f alonbl@localhost (RSA)
> $ ssh-keygen -l -E sha1 -f ~/.ssh/id_rsa.pub 
> 2048 SHA1:aKxMeaFsKNkuHurHCTZ1scdJ7Pc alonbl@localhost (RSA)
> $ ssh-keygen -l -E sha512 -f ~/.ssh/id_rsa.pub 
> 2048 SHA512:U4X0Iw3sF+2Hgc0Y78R/6uUw/goG9X2SPFEmsG4yW/EkDFNJtzRMX4/jUawmQMSWSaQdnv3yOO4AItNgLgePdw alonbl@localhost (RSA)
> $ ssh root@10.35.0.71
> The authenticity of host '10.35.0.71 (10.35.0.71)' can't be established.
> ECDSA key fingerprint is SHA256:G2GAthRObSnT13jBb7bKl2P0Tf8ucuEqXaYJOdfqHUA.
> Are you sure you want to continue connecting (yes/no)? 
> Old format without a prefix: 1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f is considered md5.
> New format with digest: prefix for md5 keeps the hex string.
> Any other digest will have base64 encoded digest value.
> It will be nice if KeyUtils.getFingerPrint(Digest d, PublicKey key) will comply with the above, so fingerprint can be presented to user and user will be able to compare it visually to expected value.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)