tobhe
commented
2 years ago Here is a little before and after from my last round of tests. With md5 and hex encoding:
pam_ssh_agent_auth: Found matching RSA key: c9:20:ff:09:15:7b:a2:e6:59:e3:a7:4a:60:0c:4f:61:1a:60:07:c9:d2:98:76:7f:71:4f:2f:d2:fc:00:c1:7dvs sha256 in base64:
pam_ssh_agent_auth: Found matching RSA key: SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0Which now matches the output of $ ssh-keygen -lf ~/.ssh/id_rsa.pub:
4096 SHA256:ySD/CRV7ouZZ46dKYAxPYRpgB8nSmHZ/cU8v0vwAwX0 (RSA)
We ran into problems using this module when running in FIPS mode. MD5 is not allowed with FIPS and in general probably not a good idea to use for key fingerprints anymore.
I propose switching to SHA256 which upstream OpenSSH appears to use by default since OpenSSH 6.8. The PR also changes the format of SSH fingerprints from hex encoding to base64 with appended hash name for compatibility with upstream fingerprints.