The host key fingerprint for SSH servers is used in a scenario where
cryptographic strength is important. We should thus be defaulting to
use of SHA256 where available. We only need SHA1 for Ubuntu 18.04
which does not have libssh >= 0.8.1
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/rpc/virnetlibsshsession.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/rpc/virnetlibsshsession.c b/src/rpc/virnetlibsshsession.c
index 50ace5f41d..22d54c99be 100644
--- a/src/rpc/virnetlibsshsession.c
+++ b/src/rpc/virnetlibsshsession.c
@@ -39,6 +39,12 @@ VIR_LOG_INIT("rpc.netlibsshsession");
#define VIR_NET_LIBSSH_BUFFER_SIZE 1024
+#if LIBSSH_VERSION_INT < SSH_VERSION_INT(0, 8, 1)
+# define VIR_SSH_HOSTKEY_HASH SSH_PUBLICKEY_HASH_SHA1
+#else
+# define VIR_SSH_HOSTKEY_HASH SSH_PUBLICKEY_HASH_SHA256
+#endif
+
/* TRACE_LIBSSH=<level> enables tracing in libssh itself.
* The meaning of <level> is described here:
* https://api.libssh.org/master/group__libssh__log.html
@@ -203,9 +209,10 @@ virLibsshServerKeyAsString(virNetLibsshSession *sess)
return NULL;
}
- /* calculate remote key hash, using SHA1 algorithm that is
- * usual in OpenSSH. The returned value must be freed */
- ret = ssh_get_publickey_hash(key, SSH_PUBLICKEY_HASH_SHA1,
+ /* calculate remote key hash, using SHA256 algorithm that is
+ * the default in modern OpenSSH, fallback to SHA1 for older
+ * libssh. The returned value must be freed */
+ ret = ssh_get_publickey_hash(key, VIR_SSH_HOSTKEY_HASH,
&keyhash, &keyhashlen);
ssh_key_free(key);
if (ret < 0) {
--
2.31.1