Your message dated Fri, 21 Feb 2020 12:47:57 +0000 with message-id <20200221124757.GA31258@riva.ucam.org> and subject line Re: Bug#788783: openssh-client: uses MD5 for key fingerprints has caused the Debian Bug report #788783, regarding openssh-client: uses MD5 for key fingerprints to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 788783: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788783 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: openssh-client: uses MD5 for key fingerprints
- From: "brian m. carlson" <sandals@crustytoothpaste.net>
- Date: Sun, 14 Jun 2015 23:11:36 +0000
- Message-id: <20150614231134.GA717144@vauxhall.crustytoothpaste.net>
Package: openssh-client Version: 1:6.7p1-6 Severity: grave Tags: security ssh-keygen and ssh itself are using MD5 for fingerprints: vauxhall ok % ssh-keygen -l -f ~/.ssh/id_rsa.pub 2048 9d:24:66:6e:37:8c:48:0f:28:1e:ba:36:b7:e3:47:e4 /home/bmc/.ssh/id_rsa.pub (RSA) vauxhall ok % awk '{print $2}' ~/.ssh/id_rsa.pub| base64 -d | md5sum 9d24666e378c480f281eba36b7e347e4 - MD5 is not suitable for any application requiring collision resistance, such as a key fingerprint. Please switch to one of the SHA-2 values instead, or upgrade to OpenSSH 6.8, which fixes this problem. This is in fact a security vulnerability, since if the attacker generates a valid RSA private key, they can generate an arbitrary e (even if it is inefficient) and d, since they know p and q. As a result, they have significant freedom to generate a key whose fingerprint collides with another given key, and therefore perform an MITM attack on first use. It is not a help that the length of the value is prepended, since there are more than enough bits to allow any valid length to be chosen. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-client depends on: ii adduser 3.113+nmu3 ii dpkg 1.18.1 ii libc6 2.19-18 ii libedit2 3.1-20150325-1 ii libgssapi-krb5-2 1.12.1+dfsg-20 ii libselinux1 2.3-2 ii libssl1.0.0 1.0.2c-1 ii passwd 1:4.2-3 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages openssh-client recommends: ii xauth 1:1.0.9-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> ii ssh-askpass-gnome [ssh-askpass] 1:6.7p1-6 -- no debconf information -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 788783-done@bugs.debian.org
- Subject: Re: Bug#788783: openssh-client: uses MD5 for key fingerprints
- From: Colin Watson <cjwatson@debian.org>
- Date: Fri, 21 Feb 2020 12:47:57 +0000
- Message-id: <20200221124757.GA31258@riva.ucam.org>
- In-reply-to: <20150614231134.GA717144@vauxhall.crustytoothpaste.net>
- References: <20150614231134.GA717144@vauxhall.crustytoothpaste.net>
Source: openssh Source-Version: 1:6.9p1-1 On Sun, Jun 14, 2015 at 11:11:36PM +0000, brian m. carlson wrote: > ssh-keygen and ssh itself are using MD5 for fingerprints: > > vauxhall ok % ssh-keygen -l -f ~/.ssh/id_rsa.pub > 2048 9d:24:66:6e:37:8c:48:0f:28:1e:ba:36:b7:e3:47:e4 /home/bmc/.ssh/id_rsa.pub (RSA) > vauxhall ok % awk '{print $2}' ~/.ssh/id_rsa.pub| base64 -d | md5sum > 9d24666e378c480f281eba36b7e347e4 - > > MD5 is not suitable for any application requiring collision resistance, > such as a key fingerprint. Please switch to one of the SHA-2 values > instead, or upgrade to OpenSSH 6.8, which fixes this problem. As you note, this was fixed in OpenSSH 6.8, which I packaged some years ago, but apparently forgot to close this bug. - Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. Thanks, -- Colin Watson [cjwatson@debian.org]
--- End Message ---