Mailing List Archive: Enforcing sha2 algorithm in ssh-keygen.c

Enforcing sha2 algorithm in ssh-keygen.c

Jan 20, 2023, 3:55 AM

Post #1 of 4 (267 views)

Dear colleagues,

ssh-keygen uses SHA1 algorithm (default) when verifying that the key is
usable. It causes problems on recent systems where SHA1 is disabled for use
with signatures (at least, RHEL 9+).

The proposed patch enforces using a sha2 algorithm for key verification.

--
Dmitry Belyavskiy

Re: Enforcing sha2 algorithm in ssh-keygen.c [ In reply to ]

dbelyavs at redhat

Mar 3, 2023, 2:04 AM

Post #2 of 4 (246 views)

Permalink

Dear colleagues,

Could you please take a look?

On Fri, Jan 20, 2023 at 12:55?PM Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
>
> Dear colleagues,
>
> ssh-keygen uses SHA1 algorithm (default) when verifying that the key is usable. It causes problems on recent systems where SHA1 is disabled for use with signatures (at least, RHEL 9+).
>
> The proposed patch enforces using a sha2 algorithm for key verification.
>
> --
> Dmitry Belyavskiy

--
Dmitry Belyavskiy

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Enforcing sha2 algorithm in ssh-keygen.c [ In reply to ]

jmknoble at pobox

Mar 3, 2023, 9:39 AM

Post #3 of 4 (245 views)

Permalink

@Dmitry, you may get more traction by reporting this issue (with patch) at https://www.openssh.com/report.html .

It can also help other folks who may be encountering the same issue.

--
jmk

> On Mar 3, 2023, at 02:10, Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
>
> ?Dear colleagues,
>
> Could you please take a look?
>
>> On Fri, Jan 20, 2023 at 12:55?PM Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
>>
>> Dear colleagues,
>>
>> ssh-keygen uses SHA1 algorithm (default) when verifying that the key is usable. It causes problems on recent systems where SHA1 is disabled for use with signatures (at least, RHEL 9+).
>>
>> The proposed patch enforces using a sha2 algorithm for key verification.
>>
>> --
>> Dmitry Belyavskiy
>
>
>
> --
> Dmitry Belyavskiy
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Enforcing sha2 algorithm in ssh-keygen.c [ In reply to ]

dbelyavs at redhat

Mar 3, 2023, 9:53 AM

Post #4 of 4 (245 views)

Permalink

Dear Jim,

I created a bug:
https://bugzilla.mindrot.org/show_bug.cgi?id=3546

On Fri, Mar 3, 2023 at 6:42?PM Jim Knoble <jmknoble@pobox.com> wrote:
>
> @Dmitry, you may get more traction by reporting this issue (with patch) at https://www.openssh.com/report.html .
>
> It can also help other folks who may be encountering the same issue.
>
> --
> jmk
>
> > On Mar 3, 2023, at 02:10, Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
> >
> > ?Dear colleagues,
> >
> > Could you please take a look?
> >
> >> On Fri, Jan 20, 2023 at 12:55?PM Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
> >>
> >> Dear colleagues,
> >>
> >> ssh-keygen uses SHA1 algorithm (default) when verifying that the key is usable. It causes problems on recent systems where SHA1 is disabled for use with signatures (at least, RHEL 9+).
> >>
> >> The proposed patch enforces using a sha2 algorithm for key verification.
> >>
> >> --
> >> Dmitry Belyavskiy
> >
> >
> >
> > --
> > Dmitry Belyavskiy
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Dmitry Belyavskiy

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Mailing List Archive

Mailing List Archive

Attached Files: