rpms / openssh

Clone
Source Code
GIT

Files

86_addmissingnb f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_f38_terrapin fix_f39_terrapin gsskexfix main master-future openssh85286 openssh96_rebase_combined openssh_96rebase openssh_rebase_90to93 openssh_rebase_90to93_cont openssh_rebase_90to93_fin private-controlpersist-4_3p2-9-branch private-master-vanilla private-openssh-4_5p1-6-controlpersist-branch rawhide sshkeysign_fix
  1.   f19
  2.   openssh-6.2p1-fingerprint.patch
Blob Blame History Raw 
diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbased.c
--- openssh-6.2p1/auth2-hostbased.c.fingerprint	2010-08-05 05:04:50.000000000 +0200
+++ openssh-6.2p1/auth2-hostbased.c	2013-03-22 12:20:49.009685008 +0100
@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
 
 	if (host_status == HOST_OK) {
 		if (key_is_cert(key)) {
-			fp = key_fingerprint(key->cert->signature_key,
-			    SSH_FP_MD5, SSH_FP_HEX);
+			fp = key_selected_fingerprint(key->cert->signature_key,
+			    SSH_FP_HEX);
 			verbose("Accepted certificate ID \"%s\" signed by "
-			    "%s CA %s from %s@%s", key->cert->key_id,
-			    key_type(key->cert->signature_key), fp,
+			    "%s CA %s%s from %s@%s", key->cert->key_id,
+			    key_type(key->cert->signature_key),
+			    key_fingerprint_prefix(), fp,
 			    cuser, lookup);
 		} else {
-			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-			verbose("Accepted %s public key %s from %s@%s",
-			    key_type(key), fp, cuser, lookup);
+			fp = key_selected_fingerprint(key, SSH_FP_HEX);
+			verbose("Accepted %s public key %s%s from %s@%s",
+			    key_type(key), key_fingerprint_prefix(),
+			    fp, cuser, lookup);
 		}
 		xfree(fp);
 	}
diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c.fingerprint	2013-02-15 00:28:56.000000000 +0100
+++ openssh-6.2p1/auth2-pubkey.c	2013-03-22 12:20:49.009685008 +0100
@@ -317,10 +317,10 @@ check_authkeys_file(FILE *f, char *file,
 				continue;
 			if (!key_is_cert_authority)
 				continue;
-			fp = key_fingerprint(found, SSH_FP_MD5,
-			    SSH_FP_HEX);
-			debug("matching CA found: file %s, line %lu, %s %s",
-			    file, linenum, key_type(found), fp);
+			fp = key_selected_fingerprint(found, SSH_FP_HEX);
+			debug("matching CA found: file %s, line %lu, %s %s%s",
+			    file, linenum, key_type(found),
+			    key_fingerprint_prefix(), fp);
 			/*
 			 * If the user has specified a list of principals as
 			 * a key option, then prefer that list to matching
@@ -360,9 +360,9 @@ check_authkeys_file(FILE *f, char *file,
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);
-			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-			verbose("Found matching %s key: %s",
-			    key_type(found), fp);
+			fp = key_selected_fingerprint(found, SSH_FP_HEX);
+			verbose("Found matching %s key: %s%s",
+			    key_type(found), key_fingerprint_prefix(), fp);
 			xfree(fp);
 			break;
 		}
@@ -384,13 +384,13 @@ user_cert_trusted_ca(struct passwd *pw,
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
 		return 0;
 
-	ca_fp = key_fingerprint(key->cert->signature_key,
-	    SSH_FP_MD5, SSH_FP_HEX);
+	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
 
 	if (key_in_file(key->cert->signature_key,
 	    options.trusted_user_ca_keys, 1) != 1) {
-		debug2("%s: CA %s %s is not listed in %s", __func__,
-		    key_type(key->cert->signature_key), ca_fp,
+		debug2("%s: CA %s%s %s is not listed in %s", __func__,
+		    key_type(key->cert->signature_key),
+		    key_fingerprint_prefix(), ca_fp,
 		    options.trusted_user_ca_keys);
 		goto out;
 	}
diff -up openssh-6.2p1/auth.c.fingerprint openssh-6.2p1/auth.c
--- openssh-6.2p1/auth.c.fingerprint	2013-03-12 01:31:05.000000000 +0100
+++ openssh-6.2p1/auth.c	2013-03-22 12:22:32.515230386 +0100
@@ -663,9 +663,10 @@ auth_key_is_revoked(Key *key)
 	case 1:
  revoked:
 		/* Key revoked */
-		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
 		error("WARNING: authentication attempt with a revoked "
-		    "%s key %s ", key_type(key), key_fp);
+		    "%s key %s%s ", key_type(key),
+		    key_fingerprint_prefix(), key_fp);
 		xfree(key_fp);
 		return 1;
 	}
diff -up openssh-6.2p1/auth-rsa.c.fingerprint openssh-6.2p1/auth-rsa.c
--- openssh-6.2p1/auth-rsa.c.fingerprint	2012-10-30 22:58:59.000000000 +0100
+++ openssh-6.2p1/auth-rsa.c	2013-03-22 12:20:49.011684999 +0100
@@ -328,9 +328,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
 	 * options; this will be reset if the options cause the
 	 * authentication to be rejected.
 	 */
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	verbose("Found matching %s key: %s",
-	    key_type(key), fp);
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
+	verbose("Found matching %s key: %s%s",
+	    key_type(key), key_fingerprint_prefix(), fp);
 	xfree(fp);
 	key_free(key);
 
diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
--- openssh-6.2p1/key.c.fingerprint	2013-03-22 12:20:48.971685175 +0100
+++ openssh-6.2p1/key.c	2013-03-22 12:20:49.012684995 +0100
@@ -599,6 +599,34 @@ key_fingerprint(Key *k, enum fp_type dgs
 	return retval;
 }
 
+enum fp_type
+key_fingerprint_selection(void)
+{
+	static enum fp_type rv;
+	static char rv_defined = 0;
+	char *env;
+
+	if (!rv_defined) {
+		env = getenv("SSH_FINGERPRINT_TYPE");
+		rv = (env && !strcmp (env, "sha")) ?
+			SSH_FP_SHA1 : SSH_FP_MD5;
+		rv_defined = 1;
+	}
+	return rv;
+}
+
+char *
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
+{
+	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
+}
+
+char *
+key_fingerprint_prefix(void)
+{
+	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
+}
+
 /*
  * Reads a multiple-precision integer in decimal from the buffer, and advances
  * the pointer.  The integer must already be initialized.  This function is
diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
--- openssh-6.2p1/key.h.fingerprint	2013-01-18 01:44:05.000000000 +0100
+++ openssh-6.2p1/key.h	2013-03-22 12:23:35.308954528 +0100
@@ -97,6 +97,9 @@ int		 key_equal_public(const Key *, cons
 int		 key_equal(const Key *, const Key *);
 char		*key_fingerprint(Key *, enum fp_type, enum fp_rep);
 u_char		*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+enum fp_type	 key_fingerprint_selection(void);
+char		*key_selected_fingerprint(Key *, enum fp_rep);
+char		*key_fingerprint_prefix(void);
 const char	*key_type(const Key *);
 const char	*key_cert_type(const Key *);
 int		 key_write(const Key *, FILE *);
diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
--- openssh-6.2p1/ssh-add.c.fingerprint	2012-12-07 03:07:03.000000000 +0100
+++ openssh-6.2p1/ssh-add.c	2013-03-22 12:20:49.029684920 +0100
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
 		    key = ssh_get_next_identity(ac, &comment, version)) {
 			had_identities = 1;
 			if (do_fp) {
-				fp = key_fingerprint(key, SSH_FP_MD5,
-				    SSH_FP_HEX);
-				printf("%d %s %s (%s)\n",
-				    key_size(key), fp, comment, key_type(key));
+				fp = key_selected_fingerprint(key, SSH_FP_HEX);
+				printf("%d %s%s %s (%s)\n",
+				    key_size(key), key_fingerprint_prefix(),
+				    fp, comment, key_type(key));
 				xfree(fp);
 			} else {
 				if (!key_write(key, stdout))
diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
--- openssh-6.2p1/ssh-agent.c.fingerprint	2013-03-22 12:20:48.979685140 +0100
+++ openssh-6.2p1/ssh-agent.c	2013-03-22 12:20:49.030684916 +0100
@@ -199,9 +199,9 @@ confirm_key(Identity *id)
 	char *p;
 	int ret = -1;
 
-	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
-	    id->comment, p))
+	p = key_selected_fingerprint(id->key, SSH_FP_HEX);
+	if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
+	    id->comment, key_fingerprint_prefix(), p))
 		ret = 0;
 	xfree(p);
 
diff -up openssh-6.2p1/sshconnect2.c.fingerprint openssh-6.2p1/sshconnect2.c
--- openssh-6.2p1/sshconnect2.c.fingerprint	2013-03-20 02:55:15.000000000 +0100
+++ openssh-6.2p1/sshconnect2.c	2013-03-22 12:20:49.031684912 +0100
@@ -592,8 +592,9 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
 	}
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	debug2("input_userauth_pk_ok: fp %s", fp);
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
+	debug2("input_userauth_pk_ok: fp %s%s",
+	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 
 	/*
@@ -1205,8 +1206,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	int have_sig = 1;
 	char *fp;
 
-	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
+	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
+	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 
 	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
diff -up openssh-6.2p1/sshconnect.c.fingerprint openssh-6.2p1/sshconnect.c
--- openssh-6.2p1/sshconnect.c.fingerprint	2012-09-17 05:25:44.000000000 +0200
+++ openssh-6.2p1/sshconnect.c	2013-03-22 12:20:49.032684907 +0100
@@ -824,10 +824,10 @@ check_host_key(char *hostname, struct so
 				    "key for IP address '%.128s' to the list "
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
-			    SSH_FP_RANDOMART);
-			logit("Host key fingerprint is %s\n%s\n", fp, ra);
+			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+			logit("Host key fingerprint is %s%s\n%s\n",
+			    key_fingerprint_prefix(), fp, ra);
 			xfree(ra);
 			xfree(fp);
 		}
@@ -865,9 +865,8 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
-			    SSH_FP_RANDOMART);
+			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
@@ -882,10 +881,11 @@ check_host_key(char *hostname, struct so
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
 			    "established%s\n"
-			    "%s key fingerprint is %s.%s%s\n%s"
+			    "%s key fingerprint is %s%s.%s%s\n%s"
 			    "Are you sure you want to continue connecting "
 			    "(yes/no)? ",
-			    host, ip, msg1, type, fp,
+			    host, ip, msg1, type,
+			    key_fingerprint_prefix(), fp,
 			    options.visual_host_key ? "\n" : "",
 			    options.visual_host_key ? ra : "",
 			    msg2);
@@ -1130,8 +1130,9 @@ verify_host_key(char *host, struct socka
 	int flags = 0;
 	char *fp;
 
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-	debug("Server host key: %s %s", key_type(host_key), fp);
+	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+	debug("Server host key: %s %s%s", key_type(host_key),
+	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 
 	/* XXX certs are not yet supported for DNS */
@@ -1232,14 +1233,15 @@ show_other_keys(struct hostkeys *hostkey
 			continue;
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
-		fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
-		ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+		fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
+		ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
 		logit("WARNING: %s key found for host %s\n"
 		    "in %s:%lu\n"
-		    "%s key fingerprint %s.",
+		    "%s key fingerprint %s%s.",
 		    key_type(found->key),
 		    found->host, found->file, found->line,
-		    key_type(found->key), fp);
+		    key_type(found->key),
+		    key_fingerprint_prefix(), fp);
 		if (options.visual_host_key)
 			logit("%s", ra);
 		xfree(ra);
@@ -1254,7 +1256,7 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
 
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
@@ -1262,8 +1264,8 @@ warn_changed_key(Key *host_key)
 	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
-	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-	    key_type(host_key), fp);
+	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
+	    key_type(host_key),key_fingerprint_prefix(),  fp);
 	error("Please contact your system administrator.");
 
 	xfree(fp);
diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
--- openssh-6.2p1/ssh-keygen.c.fingerprint	2013-02-12 01:03:36.000000000 +0100
+++ openssh-6.2p1/ssh-keygen.c	2013-03-22 12:20:49.033684903 +0100
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
 {
 	FILE *f;
 	Key *public;
-	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
+	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
 	int i, skip = 0, num = 0, invalid = 1;
 	enum fp_rep rep;
 	enum fp_type fptype;
 	struct stat st;
 
-	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+	fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+	pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
 	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
 
 	if (!have_identity)
@@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw)
 	public = key_load_public(identity_file, &comment);
 	if (public != NULL) {
 		fp = key_fingerprint(public, fptype, rep);
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-		printf("%u %s %s (%s)\n", key_size(public), fp, comment,
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
 		    key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
@@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw)
 		}
 		comment = *cp ? cp : comment;
 		fp = key_fingerprint(public, fptype, rep);
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-		printf("%u %s %s (%s)\n", key_size(public), fp,
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
 		    comment ? comment : "no comment", key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
@@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key
 	if (print_fingerprint) {
 		enum fp_rep rep;
 		enum fp_type fptype;
-		char *fp, *ra;
+		char *fp, *ra, *pfx;
 
-		fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+		fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+		pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
 		rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
 		fp = key_fingerprint(public, fptype, rep);
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-		printf("%u %s %s (%s)\n", key_size(public), fp, name,
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
 		    key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
@@ -1854,16 +1857,17 @@ do_show_cert(struct passwd *pw)
 		fatal("%s is not a certificate", identity_file);
 	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
 
-	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	ca_fp = key_fingerprint(key->cert->signature_key,
-	    SSH_FP_MD5, SSH_FP_HEX);
+	key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
+	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
 
 	printf("%s:\n", identity_file);
 	printf("        Type: %s %s certificate\n", key_ssh_name(key),
 	    key_cert_type(key));
-	printf("        Public key: %s %s\n", key_type(key), key_fp);
-	printf("        Signing CA: %s %s\n",
-	    key_type(key->cert->signature_key), ca_fp);
+	printf("        Public key: %s %s%s\n", key_type(key),
+	    key_fingerprint_prefix(), key_fp);
+	printf("        Signing CA: %s %s%s\n",
+	    key_type(key->cert->signature_key),
+	    key_fingerprint_prefix(), ca_fp);
 	printf("        Key ID: \"%s\"\n", key->cert->key_id);
 	if (!v00) {
 		printf("        Serial: %llu\n",
@@ -2651,13 +2655,12 @@ passphrase_again:
 	fclose(f);
 
 	if (!quiet) {
-		char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
-		char *ra = key_fingerprint(public, SSH_FP_MD5,
-		    SSH_FP_RANDOMART);
+		char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
+		char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
 		printf("Your public key has been saved in %s.\n",
 		    identity_file);
 		printf("The key fingerprint is:\n");
-		printf("%s %s\n", fp, comment);
+		printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
 		printf("The key's randomart image is:\n");
 		printf("%s\n", ra);
 		xfree(ra);
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.