On 05/31/2018 04:42 PM, Stefan Krusche wrote: > Am Donnerstag 31 Mai 2018 schrieb Stefan Krusche: >> Good day everyone, >> >> while starting the devuan installer from >> devuan_ascii_2.0.0-rc_amd64_netinst.iso and initiating to continue with ssh >> remote install (in graphic expert install mode) the installer showed its >> fingerprint as SHA256:xxx, which was new to me. It used to be an RSA key >> fingerprint. >> >> Problem: when I try to connect from my other machine which is a devuan >> jessie system to the one I'm gonna set up: >> ssh installer@192.168.19.3 >> ssh still shows an RSA fingerprint from the installer, so I don't know how >> to verify it (which was easy with the jessie installer just by looking). >> >> Not that I don't trust my own computer here but I'd like to know if I need >> a more recent version of ssh or if there's a way to get a visual match or >> something. Found nothing about SHA256 host keys in man ssh. >> >> Can anyone clarify about this to me, please? >> > > So, I just found this: > https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se#929567 > according to which fingerprint of the sshd server defaults to SHA256 from > some > version on and I'd expect it to be sent as such to the client. > > My older version can't seem to process option "-o FingerprintHash=sha" as > suggested in the posting on superuser.com to get the SHA256 key fingerprint > which is shown on the screen of the installer.
Minimum version to see the SHA256 checksum of the key is (according to the openssh changelog) 6.8/6.8p1 (2015-03-18). Looks like Jessie is 6.7p1. > > Now, I don't know if the RSA key fingerprint of the sshd server of the > installer, which my ssh client shows, is sent that way from the server > (should > be so, right?) or my ssh client is to old and with a newer one it would show > the SHA256 key fingerprint like on the installer screen. Maybe, the installer > has to be configured to send SHA256 key fingerprint and it isn't? Neither the server nor the client sends (or expects) a key with a certain fingerpint hashing scheme -- it's done on the fly (you can see this effect with the '-o FingerprintHash=' option of newer clients.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
