Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
1.1.0
-
None
Description
Hello,
The apache-sshd always assumes fingerprint as hex string ':' separated.
While openssh public key fingerprint differs, here are some examples:
$ ssh-keygen -l -E md5 -f ~/.ssh/id_rsa.pub
2048 MD5:1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f alonbl@localhost (RSA)
$ ssh-keygen -l -E sha1 -f ~/.ssh/id_rsa.pub
2048 SHA1:aKxMeaFsKNkuHurHCTZ1scdJ7Pc alonbl@localhost (RSA)
$ ssh-keygen -l -E sha512 -f ~/.ssh/id_rsa.pub
2048 SHA512:U4X0Iw3sF+2Hgc0Y78R/6uUw/goG9X2SPFEmsG4yW/EkDFNJtzRMX4/jUawmQMSWSaQdnv3yOO4AItNgLgePdw alonbl@localhost (RSA)
$ ssh root@10.35.0.71
The authenticity of host '10.35.0.71 (10.35.0.71)' can't be established.
ECDSA key fingerprint is SHA256:G2GAthRObSnT13jBb7bKl2P0Tf8ucuEqXaYJOdfqHUA.
Are you sure you want to continue connecting (yes/no)?
Old format without a prefix: 1f:b0:db:4b:48:6d:e2:0c:9e:18:a6:88:c9:be:f9:5f is considered md5.
New format with digest: prefix for md5 keeps the hex string.
Any other digest will have base64 encoded digest value.
It will be nice if KeyUtils.getFingerPrint(Digest d, PublicKey key) will comply with the above, so fingerprint can be presented to user and user will be able to compare it visually to expected value.
Attachments
Issue Links
- is required by
-
-
- Resolved
-