Bug#788783: openssh-client: uses MD5 for key fingerprints

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#788783: openssh-client: uses MD5 for key fingerprints
From: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Sun, 14 Jun 2015 23:11:36 +0000
Message-id: <[🔎] 20150614231134.GA717144@vauxhall.crustytoothpaste.net>
Reply-to: "brian m. carlson" <sandals@crustytoothpaste.net>, 788783@bugs.debian.org

Package: openssh-client
Version: 1:6.7p1-6
Severity: grave
Tags: security

ssh-keygen and ssh itself are using MD5 for fingerprints:

  vauxhall ok % ssh-keygen -l -f ~/.ssh/id_rsa.pub
  2048 9d:24:66:6e:37:8c:48:0f:28:1e:ba:36:b7:e3:47:e4 /home/bmc/.ssh/id_rsa.pub (RSA)
  vauxhall ok % awk '{print $2}' ~/.ssh/id_rsa.pub| base64 -d | md5sum
  9d24666e378c480f281eba36b7e347e4  -

MD5 is not suitable for any application requiring collision resistance,
such as a key fingerprint.  Please switch to one of the SHA-2 values
instead, or upgrade to OpenSSH 6.8, which fixes this problem.

This is in fact a security vulnerability, since if the attacker
generates a valid RSA private key, they can generate an arbitrary e
(even if it is inefficient) and d, since they know p and q.  As a
result, they have significant freedom to generate a key whose
fingerprint collides with another given key, and therefore perform an
MITM attack on first use.  It is not a help that the length of the value
is prepended, since there are more than enough bits to allow any valid
length to be chosen.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.18.1
ii  libc6             2.19-18
ii  libedit2          3.1-20150325-1
ii  libgssapi-krb5-2  1.12.1+dfsg-20
ii  libselinux1       2.3-2
ii  libssl1.0.0       1.0.2c-1
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
pn  monkeysphere                     <none>
ii  ssh-askpass-gnome [ssh-askpass]  1:6.7p1-6

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#788783: openssh-client: uses MD5 for key fingerprints
  - From: Colin Watson <cjwatson@debian.org>
- Bug#788783: openssh-client: uses MD5 for key fingerprints
  - From: Mark Wooding <mdw@distorted.org.uk>

Prev by Date: Bug#788745: systemd user unit to start ssh-agent
Next by Date: Bug#788783: openssh-client: uses MD5 for key fingerprints
Previous by thread: Bug#788745: systemd user unit to start ssh-agent
Next by thread: Bug#788783: openssh-client: uses MD5 for key fingerprints
Index(es):
- Date
- Thread