search

cloudtools / ssh-cert-authority

An implementation of an SSH certificate authority.
BSD 2-Clause "Simplified" License
728 stars 71 forks source link

Support for SHA256 fingerprint #23

Open mvdkleijn opened 8 years ago

mvdkleijn commented 8 years ago

Would it be possible to support SHA256 fingerprints in the config? The latest Ubuntu LTS release defaults to SHA256 fingerprints.

I realize that I can list the MD5 fingerprint, but its annoying and I'd like to banish md5 from everything if possible.

bobveznat commented 8 years ago

Yes. I actually have a branch somewhere that does this. The code quickly got more complicated than I liked when I tried to seamlessly support both the legacy md5 format and the newer prefixed format. Knowing what I know now I can probably redo this reasonably easily. So, yes, I can likely add support for this with backwards compatibility for both older versions of openssh and existing installations of ssh-cert-authority that still use the md5 format.

pieterbreed commented 7 years ago

I am also interested in this feature. In the meantime, what do you suggest as a work-around?

bobveznat commented 7 years ago

tl;dr The workaround is to use -E md5 and strip the MD5 prefix from the output.

I'll bring a little context to the picture here. There are three places where these fingerprints matter: the client (requester) configuration, signer configuration and the server configuration.

For the requester side you no longer are required to use a fingerprint. Instead you can specify the filename of your key using PublicKeyPath. I realize now that USAGE.rst is out of date as it only shows the filename option. I've patched up the file to recommend simply using the path option and that has been pushed.

For the signer, for some reason, I only support fingerprints and on the server, because we don't have the full public key, we only support fingerprints. In both cases the fingerprint must be legacy MD5. To get this fingerprint you can use the -E md5 option to most openssh commands. For example, you might:

$ ssh-keygen -l -f ~/.ssh/bvanzant-yubikey-pkcs11.pub -E md5 2048 MD5:77:f4:fe:59:f5:1b:94:39:cb:27:75:ad:f4:0e:1e:ed no comment (RSA)

The output of that command is still invalid from an ssh-cert-authority perspective. You need to strip the MD5: prefix from the fingerprint.

mvdkleijn commented 4 years ago

What is the status for this item? Still in the planning or superseded by something else?