Support for SHA256 fingerprint #23
Comments
|
Yes. I actually have a branch somewhere that does this. The code quickly got more complicated than I liked when I tried to seamlessly support both the legacy md5 format and the newer prefixed format. Knowing what I know now I can probably redo this reasonably easily. So, yes, I can likely add support for this with backwards compatibility for both older versions of openssh and existing installations of ssh-cert-authority that still use the md5 format. |
|
I am also interested in this feature. In the meantime, what do you suggest as a work-around? |
|
tl;dr The workaround is to use -E md5 and strip the MD5 prefix from the output. I'll bring a little context to the picture here. There are three places where these fingerprints matter: the client (requester) configuration, signer configuration and the server configuration. For the requester side you no longer are required to use a fingerprint. Instead you can specify the filename of your key using For the signer, for some reason, I only support fingerprints and on the server, because we don't have the full public key, we only support fingerprints. In both cases the fingerprint must be legacy MD5. To get this fingerprint you can use the -E md5 option to most openssh commands. For example, you might:
The output of that command is still invalid from an ssh-cert-authority perspective. You need to strip the |
|
What is the status for this item? Still in the planning or superseded by something else? |
Would it be possible to support SHA256 fingerprints in the config? The latest Ubuntu LTS release defaults to SHA256 fingerprints.
I realize that I can list the MD5 fingerprint, but its annoying and I'd like to banish md5 from everything if possible.
The text was updated successfully, but these errors were encountered: