1 diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
2 --- openssh-5.8p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200
3 +++ openssh-5.8p1/auth2-hostbased.c 2011-02-25 09:17:18.000000000 +0100
4 @@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
6 if (host_status == HOST_OK) {
7 if (key_is_cert(key)) {
8 - fp = key_fingerprint(key->cert->signature_key,
9 - SSH_FP_MD5, SSH_FP_HEX);
10 + fp = key_selected_fingerprint(key->cert->signature_key,
12 verbose("Accepted certificate ID \"%s\" signed by "
13 - "%s CA %s from %s@%s", key->cert->key_id,
14 - key_type(key->cert->signature_key), fp,
15 + "%s CA %s%s from %s@%s", key->cert->key_id,
16 + key_type(key->cert->signature_key),
17 + key_fingerprint_prefix(), fp,
20 - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
21 - verbose("Accepted %s public key %s from %s@%s",
22 - key_type(key), fp, cuser, lookup);
23 + fp = key_selected_fingerprint(key, SSH_FP_HEX);
24 + verbose("Accepted %s public key %s%s from %s@%s",
25 + key_type(key), key_fingerprint_prefix(),
30 diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
31 --- openssh-5.8p1/auth2-pubkey.c.fingerprint 2010-12-01 01:50:14.000000000 +0100
32 +++ openssh-5.8p1/auth2-pubkey.c 2011-02-25 09:17:18.000000000 +0100
33 @@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
35 if (!key_is_cert_authority)
37 - fp = key_fingerprint(found, SSH_FP_MD5,
39 - debug("matching CA found: file %s, line %lu, %s %s",
40 - file, linenum, key_type(found), fp);
41 + fp = key_selected_fingerprint(found, SSH_FP_HEX);
42 + debug("matching CA found: file %s, line %lu, %s %s%s",
43 + file, linenum, key_type(found),
44 + key_fingerprint_prefix(), fp);
46 * If the user has specified a list of principals as
47 * a key option, then prefer that list to matching
48 @@ -362,9 +362,9 @@ user_key_allowed2(struct passwd *pw, Key
50 debug("matching key found: file %s, line %lu",
52 - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
53 - verbose("Found matching %s key: %s",
54 - key_type(found), fp);
55 + fp = key_selected_fingerprint(found, SSH_FP_HEX);
56 + verbose("Found matching %s key: %s%s",
57 + key_type(found), key_fingerprint_prefix(), fp);
61 @@ -388,13 +388,13 @@ user_cert_trusted_ca(struct passwd *pw,
62 if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
65 - ca_fp = key_fingerprint(key->cert->signature_key,
66 - SSH_FP_MD5, SSH_FP_HEX);
67 + ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
69 if (key_in_file(key->cert->signature_key,
70 options.trusted_user_ca_keys, 1) != 1) {
71 - debug2("%s: CA %s %s is not listed in %s", __func__,
72 - key_type(key->cert->signature_key), ca_fp,
73 + debug2("%s: CA %s%s %s is not listed in %s", __func__,
74 + key_type(key->cert->signature_key),
75 + key_fingerprint_prefix(), ca_fp,
76 options.trusted_user_ca_keys);
79 diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
80 --- openssh-5.8p1/auth.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
81 +++ openssh-5.8p1/auth.c 2011-02-25 09:17:18.000000000 +0100
82 @@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
86 - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
87 + key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
88 error("WARNING: authentication attempt with a revoked "
89 - "%s key %s ", key_type(key), key_fp);
90 + "%s key %s%s ", key_type(key),
91 + key_fingerprint_prefix(), key_fp);
95 diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
96 --- openssh-5.8p1/auth-rsa.c.fingerprint 2010-12-04 23:01:47.000000000 +0100
97 +++ openssh-5.8p1/auth-rsa.c 2011-02-25 09:17:18.000000000 +0100
98 @@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
99 * options; this will be reset if the options cause the
100 * authentication to be rejected.
102 - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
103 - verbose("Found matching %s key: %s",
104 - key_type(key), fp);
105 + fp = key_selected_fingerprint(key, SSH_FP_HEX);
106 + verbose("Found matching %s key: %s%s",
107 + key_type(key), key_fingerprint_prefix(), fp);
111 diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
112 --- openssh-5.8p1/key.c.fingerprint 2011-02-04 01:48:34.000000000 +0100
113 +++ openssh-5.8p1/key.c 2011-02-25 09:18:16.000000000 +0100
114 @@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs
119 +key_fingerprint_selection(void)
121 + static enum fp_type rv;
122 + static char rv_defined = 0;
126 + env = getenv("SSH_FINGERPRINT_TYPE");
127 + rv = (env && !strcmp (env, "sha")) ?
128 + SSH_FP_SHA1 : SSH_FP_MD5;
135 +key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
137 + return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
141 +key_fingerprint_prefix(void)
143 + return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
147 * Reads a multiple-precision integer in decimal from the buffer, and advances
148 * the pointer. The integer must already be initialized. This function is
149 diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
150 --- openssh-5.8p1/key.h.fingerprint 2010-11-05 00:19:49.000000000 +0100
151 +++ openssh-5.8p1/key.h 2011-02-25 09:17:18.000000000 +0100
152 @@ -96,6 +96,9 @@ int key_equal_public(const Key *, cons
153 int key_equal(const Key *, const Key *);
154 char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
155 u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *);
156 +enum fp_type key_fingerprint_selection(void);
157 +char *key_selected_fingerprint(Key *, enum fp_rep);
158 +char *key_fingerprint_prefix(void);
159 const char *key_type(const Key *);
160 const char *key_cert_type(const Key *);
161 int key_write(const Key *, FILE *);
162 diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
163 --- openssh-5.8p1/ssh-add.c.fingerprint 2010-11-11 04:17:02.000000000 +0100
164 +++ openssh-5.8p1/ssh-add.c 2011-02-25 09:17:18.000000000 +0100
165 @@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
166 key = ssh_get_next_identity(ac, &comment, version)) {
169 - fp = key_fingerprint(key, SSH_FP_MD5,
171 - printf("%d %s %s (%s)\n",
172 - key_size(key), fp, comment, key_type(key));
173 + fp = key_selected_fingerprint(key, SSH_FP_HEX);
174 + printf("%d %s%s %s (%s)\n",
175 + key_size(key), key_fingerprint_prefix(),
176 + fp, comment, key_type(key));
179 if (!key_write(key, stdout))
180 diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
181 --- openssh-5.8p1/ssh-agent.c.fingerprint 2010-12-01 01:50:35.000000000 +0100
182 +++ openssh-5.8p1/ssh-agent.c 2011-02-25 09:17:18.000000000 +0100
183 @@ -199,9 +199,9 @@ confirm_key(Identity *id)
187 - p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
188 - if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
190 + p = key_selected_fingerprint(id->key, SSH_FP_HEX);
191 + if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
192 + id->comment, key_fingerprint_prefix(), p))
196 diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
197 --- openssh-5.8p1/sshconnect2.c.fingerprint 2010-12-01 02:21:51.000000000 +0100
198 +++ openssh-5.8p1/sshconnect2.c 2011-02-25 09:17:18.000000000 +0100
199 @@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
203 - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
204 - debug2("input_userauth_pk_ok: fp %s", fp);
205 + fp = key_selected_fingerprint(key, SSH_FP_HEX);
206 + debug2("input_userauth_pk_ok: fp %s%s",
207 + key_fingerprint_prefix(), fp);
211 @@ -1203,8 +1204,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
215 - fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
216 - debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
217 + fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
218 + debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
219 + key_fingerprint_prefix(), fp);
222 if (key_to_blob(id->key, &blob, &bloblen) == 0) {
223 diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
224 --- openssh-5.8p1/sshconnect.c.fingerprint 2011-01-16 13:17:59.000000000 +0100
225 +++ openssh-5.8p1/sshconnect.c 2011-02-25 09:17:18.000000000 +0100
226 @@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
227 "key for IP address '%.128s' to the list "
228 "of known hosts.", type, ip);
229 } else if (options.visual_host_key) {
230 - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
231 - ra = key_fingerprint(host_key, SSH_FP_MD5,
233 - logit("Host key fingerprint is %s\n%s\n", fp, ra);
234 + fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
235 + ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
236 + logit("Host key fingerprint is %s%s\n%s\n",
237 + key_fingerprint_prefix(), fp, ra);
241 @@ -838,9 +838,8 @@ check_host_key(char *hostname, struct so
243 snprintf(msg1, sizeof(msg1), ".");
245 - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
246 - ra = key_fingerprint(host_key, SSH_FP_MD5,
248 + fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
249 + ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
251 if (options.verify_host_key_dns) {
252 if (matching_host_key_dns)
253 @@ -855,10 +854,11 @@ check_host_key(char *hostname, struct so
254 snprintf(msg, sizeof(msg),
255 "The authenticity of host '%.200s (%s)' can't be "
257 - "%s key fingerprint is %s.%s%s\n%s"
258 + "%s key fingerprint is %s%s.%s%s\n%s"
259 "Are you sure you want to continue connecting "
261 - host, ip, msg1, type, fp,
262 + host, ip, msg1, type,
263 + key_fingerprint_prefix(), fp,
264 options.visual_host_key ? "\n" : "",
265 options.visual_host_key ? ra : "",
267 @@ -1104,8 +1104,9 @@ verify_host_key(char *host, struct socka
271 - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
272 - debug("Server host key: %s %s", key_type(host_key), fp);
273 + fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
274 + debug("Server host key: %s %s%s", key_type(host_key),
275 + key_fingerprint_prefix(), fp);
278 /* XXX certs are not yet supported for DNS */
279 @@ -1214,14 +1215,15 @@ show_other_keys(struct hostkeys *hostkey
281 if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
283 - fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
284 - ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
285 + fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
286 + ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
287 logit("WARNING: %s key found for host %s\n"
289 - "%s key fingerprint %s.",
290 + "%s key fingerprint %s%s.",
291 key_type(found->key),
292 found->host, found->file, found->line,
293 - key_type(found->key), fp);
294 + key_type(found->key),
295 + key_fingerprint_prefix(), fp);
296 if (options.visual_host_key)
299 @@ -1236,7 +1238,7 @@ warn_changed_key(Key *host_key)
303 - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
304 + fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
306 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
307 error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
308 @@ -1244,8 +1246,8 @@ warn_changed_key(Key *host_key)
309 error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
310 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
311 error("It is also possible that a host key has just been changed.");
312 - error("The fingerprint for the %s key sent by the remote host is\n%s.",
313 - key_type(host_key), fp);
314 + error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
315 + key_type(host_key),key_fingerprint_prefix(), fp);
316 error("Please contact your system administrator.");
319 diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
320 --- openssh-5.8p1/ssh-keygen.c.fingerprint 2011-01-11 07:20:31.000000000 +0100
321 +++ openssh-5.8p1/ssh-keygen.c 2011-02-25 09:17:18.000000000 +0100
322 @@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
326 - char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
327 + char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
328 int i, skip = 0, num = 0, invalid = 1;
333 - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
334 + fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
335 + pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
336 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
339 @@ -732,8 +733,8 @@ do_fingerprint(struct passwd *pw)
340 public = key_load_public(identity_file, &comment);
341 if (public != NULL) {
342 fp = key_fingerprint(public, fptype, rep);
343 - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
344 - printf("%u %s %s (%s)\n", key_size(public), fp, comment,
345 + ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
346 + printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
348 if (log_level >= SYSLOG_LEVEL_VERBOSE)
350 @@ -798,8 +799,8 @@ do_fingerprint(struct passwd *pw)
352 comment = *cp ? cp : comment;
353 fp = key_fingerprint(public, fptype, rep);
354 - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
355 - printf("%u %s %s (%s)\n", key_size(public), fp,
356 + ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
357 + printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
358 comment ? comment : "no comment", key_type(public));
359 if (log_level >= SYSLOG_LEVEL_VERBOSE)
361 @@ -823,13 +824,15 @@ printhost(FILE *f, const char *name, Key
362 if (print_fingerprint) {
366 + char *fp, *ra, *pfx;
368 - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
369 + fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
370 + pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
371 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
373 fp = key_fingerprint(public, fptype, rep);
374 - ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
375 - printf("%u %s %s (%s)\n", key_size(public), fp, name,
376 + ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
377 + printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
379 if (log_level >= SYSLOG_LEVEL_VERBOSE)
381 @@ -1695,16 +1698,17 @@ do_show_cert(struct passwd *pw)
382 fatal("%s is not a certificate", identity_file);
383 v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
385 - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
386 - ca_fp = key_fingerprint(key->cert->signature_key,
387 - SSH_FP_MD5, SSH_FP_HEX);
388 + key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
389 + ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
391 printf("%s:\n", identity_file);
392 printf(" Type: %s %s certificate\n", key_ssh_name(key),
394 - printf(" Public key: %s %s\n", key_type(key), key_fp);
395 - printf(" Signing CA: %s %s\n",
396 - key_type(key->cert->signature_key), ca_fp);
397 + printf(" Public key: %s %s%s\n", key_type(key),
398 + key_fingerprint_prefix(), key_fp);
399 + printf(" Signing CA: %s %s%s\n",
400 + key_type(key->cert->signature_key),
401 + key_fingerprint_prefix(), ca_fp);
402 printf(" Key ID: \"%s\"\n", key->cert->key_id);
404 printf(" Serial: %llu\n",
405 @@ -2249,13 +2253,12 @@ passphrase_again:
409 - char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
410 - char *ra = key_fingerprint(public, SSH_FP_MD5,
412 + char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
413 + char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
414 printf("Your public key has been saved in %s.\n",
416 printf("The key fingerprint is:\n");
417 - printf("%s %s\n", fp, comment);
418 + printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
419 printf("The key's randomart image is:\n");
projects / people / pmueller / ipfire-3.x.git / blob