Re: [PATCH] block/ssh: add support for sha256 host key fingerprints

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kevin Wolf <kwolf@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-block@nongnu.org, qemu-devel@nongnu.org,
	Markus Armbruster <armbru@redhat.com>,
	"Richard W.M. Jones" <rjones@redhat.com>,
	Max Reitz <mreitz@redhat.com>, Eric Blake <eblake@redhat.com>
Subject: Re: [PATCH] block/ssh: add support for sha256 host key fingerprints
Date: Wed, 30 Jun 2021 12:52:43 +0200	[thread overview]
Message-ID: <YNxM+/c1Q3iUKZVC@redhat.com> (raw)
In-Reply-To: <20210622115156.138458-1-berrange@redhat.com>

Am 22.06.2021 um 13:51 hat Daniel P. Berrangé geschrieben:
> Currently the SSH block driver supports MD5 and SHA1 for host key
> fingerprints. This is a cryptographically sensitive operation and
> so these hash algorithms are inadequate by modern standards. This
> adds support for SHA256 which has been supported in libssh since
> the 0.8.1 release.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Thanks, applied to the block branch.

> Note I can't actually get iotest '207' to fully pass. It always
> complains that it can't validate the "known_hosts" file
> 
>   qemu-img: Could not open 'TEST_IMG': no host key was found in known_hosts
> 
> it seems to rely on some specific developer host setup that my
> laptop doesn't satisfy. It would be useful if any pre-requisite
> could be documented in the iotest.
> 
> At least the sha256 verification step I added to 207 does pass
> though.

It passes for me when I make sure to add 127.0.0.1 to known_hosts first.
My ~/.ssh/config also has these lines, probably from a previous run,
which may or may not be necessary:

Host 127.0.0.1
    HostKeyAlgorithms ssh-rsa

Kevin

     prev parent reply	other threads:[~2021-06-30 10:53 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-22 11:51 [PATCH] block/ssh: add support for sha256 host key fingerprints Daniel P. Berrangé
2021-06-22 12:04 ` Richard W.M. Jones
2021-06-22 12:27 ` Philippe Mathieu-Daudé
2021-06-30 10:52 ` Kevin Wolf [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YNxM+/c1Q3iUKZVC@redhat.com \
    --to=kwolf@redhat.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=rjones@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.