Bug#788783: openssh-client: uses MD5 for key fingerprints

To: "brian m. carlson" <sandals@crustytoothpaste.net>, 788783@bugs.debian.org
Subject: Bug#788783: openssh-client: uses MD5 for key fingerprints
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 15 Jun 2015 08:13:18 +0100
Message-id: <[🔎] 20150615071318.GA23956@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 788783@bugs.debian.org
In-reply-to: <[🔎] 20150614231134.GA717144@vauxhall.crustytoothpaste.net>
References: <[🔎] 20150614231134.GA717144@vauxhall.crustytoothpaste.net>

On Sun, Jun 14, 2015 at 11:11:36PM +0000, brian m. carlson wrote:
> ssh-keygen and ssh itself are using MD5 for fingerprints:
> 
>   vauxhall ok % ssh-keygen -l -f ~/.ssh/id_rsa.pub
>   2048 9d:24:66:6e:37:8c:48:0f:28:1e:ba:36:b7:e3:47:e4 /home/bmc/.ssh/id_rsa.pub (RSA)
>   vauxhall ok % awk '{print $2}' ~/.ssh/id_rsa.pub| base64 -d | md5sum
>   9d24666e378c480f281eba36b7e347e4  -
> 
> MD5 is not suitable for any application requiring collision resistance,
> such as a key fingerprint.  Please switch to one of the SHA-2 values
> instead,

I hope it's clear that it would be a terrible idea to do this entirely
independently in Debian.

> or upgrade to OpenSSH 6.8, which fixes this problem.

I'm working on this.  The GSSAPI key exchange patch requires significant
work to handle the large internal refactoring that took place in 6.8, so
it's not entirely a quick process, I'm afraid, but it's pretty much at
the top of my Debian list.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- Bug#788783: openssh-client: uses MD5 for key fingerprints
  - From: "brian m. carlson" <sandals@crustytoothpaste.net>

Prev by Date: Bug#788783: openssh-client: uses MD5 for key fingerprints
Next by Date: Bug#788783: openssh-client: uses MD5 for key fingerprints
Previous by thread: Bug#788783: openssh-client: uses MD5 for key fingerprints
Next by thread: Bug#788783: openssh-client: uses MD5 for key fingerprints
Index(es):
- Date
- Thread