https://bugzilla.mindrot.org/show_bug.cgi?id=3753
Bug ID: 3753
Summary: ssh-keygen and ssh-keyscan prints SHA1 SSHFP digest by
default
Product: Portable OpenSSH
Version: 9.9p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: [email protected]
Reporter: [email protected]
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub generates SSHFP
records for inclusion in DNS. But that includes SHA1 digest, which
should not be used anymore for verification of key status.
Minor issue in manual page is that it does not mention -O is also
supported in -r mode. In top SYNOPSIS section, -r hostname does not
contain [-O option], like -M generate below it. But it accepts options.
I can get desired behaviour by:
ssh-keygen -r localhost -f ~/.ssh/id_ed25519.pub -O hashalg=sha256
But I think -O hashalg=sha1 should be mandatory to print SHA1 digests.
It should be omitted by default.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
