Bug#788783: marked as done (openssh-client: uses MD5 for key fingerprints)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 21 Feb 2020 12:47:57 +0000
with message-id <20200221124757.GA31258@riva.ucam.org>
and subject line Re: Bug#788783: openssh-client: uses MD5 for key fingerprints
has caused the Debian Bug report #788783,
regarding openssh-client: uses MD5 for key fingerprints
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
788783: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788783
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-client: uses MD5 for key fingerprints
• From: "brian m. carlson" <sandals@crustytoothpaste.net>
• Date: Sun, 14 Jun 2015 23:11:36 +0000
• Message-id: <20150614231134.GA717144@vauxhall.crustytoothpaste.net>

Package: openssh-client
Version: 1:6.7p1-6
Severity: grave
Tags: security

ssh-keygen and ssh itself are using MD5 for fingerprints:

  vauxhall ok % ssh-keygen -l -f ~/.ssh/id_rsa.pub
  2048 9d:24:66:6e:37:8c:48:0f:28:1e:ba:36:b7:e3:47:e4 /home/bmc/.ssh/id_rsa.pub (RSA)
  vauxhall ok % awk '{print $2}' ~/.ssh/id_rsa.pub| base64 -d | md5sum
  9d24666e378c480f281eba36b7e347e4  -

MD5 is not suitable for any application requiring collision resistance,
such as a key fingerprint.  Please switch to one of the SHA-2 values
instead, or upgrade to OpenSSH 6.8, which fixes this problem.

This is in fact a security vulnerability, since if the attacker
generates a valid RSA private key, they can generate an arbitrary e
(even if it is inefficient) and d, since they know p and q.  As a
result, they have significant freedom to generate a key whose
fingerprint collides with another given key, and therefore perform an
MITM attack on first use.  It is not a help that the length of the value
is prepended, since there are more than enough bits to allow any valid
length to be chosen.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.18.1
ii  libc6             2.19-18
ii  libedit2          3.1-20150325-1
ii  libgssapi-krb5-2  1.12.1+dfsg-20
ii  libselinux1       2.3-2
ii  libssl1.0.0       1.0.2c-1
ii  passwd            1:4.2-3
ii  zlib1g            1:1.2.8.dfsg-2+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.9-1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
pn  monkeysphere                     <none>
ii  ssh-askpass-gnome [ssh-askpass]  1:6.7p1-6

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 788783-done@bugs.debian.org
• Subject: Re: Bug#788783: openssh-client: uses MD5 for key fingerprints
• From: Colin Watson <cjwatson@debian.org>
• Date: Fri, 21 Feb 2020 12:47:57 +0000
• Message-id: <20200221124757.GA31258@riva.ucam.org>
• In-reply-to: <20150614231134.GA717144@vauxhall.crustytoothpaste.net>
• References: <20150614231134.GA717144@vauxhall.crustytoothpaste.net>

Source: openssh
Source-Version: 1:6.9p1-1

On Sun, Jun 14, 2015 at 11:11:36PM +0000, brian m. carlson wrote:
> ssh-keygen and ssh itself are using MD5 for fingerprints:
> 
>   vauxhall ok % ssh-keygen -l -f ~/.ssh/id_rsa.pub
>   2048 9d:24:66:6e:37:8c:48:0f:28:1e:ba:36:b7:e3:47:e4 /home/bmc/.ssh/id_rsa.pub (RSA)
>   vauxhall ok % awk '{print $2}' ~/.ssh/id_rsa.pub| base64 -d | md5sum
>   9d24666e378c480f281eba36b7e347e4  -
> 
> MD5 is not suitable for any application requiring collision resistance,
> such as a key fingerprint.  Please switch to one of the SHA-2 values
> instead, or upgrade to OpenSSH 6.8, which fixes this problem.

As you note, this was fixed in OpenSSH 6.8, which I packaged some years
ago, but apparently forgot to close this bug.

    - Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
      command-line flags to the other tools to control algorithm used for
      key fingerprints.  The default changes from MD5 to SHA256 and format
      from hex to base64.
      Fingerprints now have the hash algorithm prepended.  An example of the
      new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
      Please note that visual host keys will also be different.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---