From nobody Sat May 18 19:24:34 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1637246277197556.1721687742177; Thu, 18 Nov 2021 06:37:57 -0800 (PST) Received: from localhost ([::1]:35798 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mniY0-0007Hh-1E for importer@patchew.org; Thu, 18 Nov 2021 09:37:56 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46870) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWG-0004QP-Jv for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:08 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:39818) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWE-0004lh-Ok for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:08 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-275-YWBMBj6zOauNyWrugZE1-Q-1; Thu, 18 Nov 2021 09:36:03 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C3E56875112; Thu, 18 Nov 2021 14:36:01 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.247]) by smtp.corp.redhat.com (Postfix) with ESMTP id 341FB60657; Thu, 18 Nov 2021 14:35:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637246166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MA0LVkMeRHzVAfEhKxJy2B+pN86F3hGZ7cj8oUxC/cg=; b=QYDTQl28TiF9QAB7AFppgp99/reA608eFDln3iDf/tCM6ez9lXK/2HhqCkBYlZFdnEfWWz vAHUaenuI6yIVBZp+haPwyY97dQlv5kQAs7IOVSRZvUiBfqXrtmbU3yCfiDAQh47GhF3wp mj04a51KcoUNhLxGD1G1x2HUpG967yQ= X-MC-Unique: YWBMBj6zOauNyWrugZE1-Q-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 1/3] block: better document SSH host key fingerprint checking Date: Thu, 18 Nov 2021 14:35:45 +0000 Message-Id: <20211118143547.2045554-2-berrange@redhat.com> In-Reply-To: <20211118143547.2045554-1-berrange@redhat.com> References: <20211118143547.2045554-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , "Richard W.M. Jones" , qemu-block@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1637246278555100001 The docs still illustrate host key fingerprint checking using the old md5 hashes which are considered insecure and obsolete. Change it to illustrate using a sha256 hash. Also show how to extract the hash value from the known_hosts file. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Hanna Reitz --- docs/system/qemu-block-drivers.rst.inc | 30 ++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/system/qemu-block-drivers.rst.inc b/docs/system/qemu-bloc= k-drivers.rst.inc index 16225710eb..2aeeaf6361 100644 --- a/docs/system/qemu-block-drivers.rst.inc +++ b/docs/system/qemu-block-drivers.rst.inc @@ -778,10 +778,32 @@ The optional *HOST_KEY_CHECK* parameter controls how = the remote host's key is checked. The default is ``yes`` which means to use the local ``.ssh/known_hosts`` file. Setting this to ``no`` turns off known-hosts checking. Or you can check that the host key -matches a specific fingerprint: -``host_key_check=3Dmd5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8`` -(``sha1:`` can also be used as a prefix, but note that OpenSSH -tools only use MD5 to print fingerprints). +matches a specific fingerprint. The fingerprint can be provided in +``md5``, ``sha1``, or ``sha256`` format, however, it is strongly +recommended to only use ``sha256``, since the other options are +considered insecure by modern standards. The fingerprint value +must be given as a hex encoded string:: + + host_key_check=3Dsha256:04ce2ae89ff4295a6b9c4111640bdcb3297858ee55cb434d= 9dd88796e93aa795`` + +The key string may optionally contain ":" separators between +each pair of hex digits. + +The ``$HOME/.ssh/known_hosts`` file contains the base64 encoded +host keys. These can be converted into the format needed for +QEMU using a command such as:: + + $ for key in `grep 10.33.8.112 known_hosts | awk '{print $3}'` + do + echo $key | base64 -d | sha256sum + done + 6c3aa525beda9dc83eadfbd7e5ba7d976ecb59575d1633c87cd06ed2ed6e366f - + 12214fd9ea5b408086f98ecccd9958609bd9ac7c0ea316734006bc7818b45dc8 - + d36420137bcbd101209ef70c3b15dc07362fbe0fa53c5b135eba6e6afa82f0ce - + +Note that there can be multiple keys present per host, each with +different key ciphers. Care is needed to pick the key fingerprint +that matches the cipher QEMU will negotiate with the remote server. =20 Currently authentication must be done using ssh-agent. Other authentication methods may be supported in future. --=20 2.31.1 From nobody Sat May 18 19:24:34 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1637246340550412.6418364731703; Thu, 18 Nov 2021 06:39:00 -0800 (PST) Received: from localhost ([::1]:39018 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mniZ1-00011L-KG for importer@patchew.org; Thu, 18 Nov 2021 09:38:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46934) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWO-0004kz-37 for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:16 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46475) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWK-0004mR-VJ for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:15 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-176-Dmp2MQIWM2yFQXaVPq2g5w-1; Thu, 18 Nov 2021 09:36:11 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E4253804142; Thu, 18 Nov 2021 14:36:09 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.247]) by smtp.corp.redhat.com (Postfix) with ESMTP id 783D5604CC; Thu, 18 Nov 2021 14:36:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637246172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TqVcZztcI/sVqqYp7S4eoNXMMYvntX6jtEZp9tYZMsg=; b=Xqko0TlbalRqWbKqQoQhYyCGVeyBPL/XW5Gbdve7/1T6sHzguGJE/HCZDlq3TbUs4Ou1CD vRH24tCXqUYOgy6WwOrN9NxYfB9AwiG3lLooYFNtGw3LVWbwgbA4RG8pXUeqF9RZ9QV54a 3IDd/5OwKUKPvKDiuiVpIbCOtGGmWLU= X-MC-Unique: Dmp2MQIWM2yFQXaVPq2g5w-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 2/3] block: support sha256 fingerprint with pre-blockdev options Date: Thu, 18 Nov 2021 14:35:46 +0000 Message-Id: <20211118143547.2045554-3-berrange@redhat.com> In-Reply-To: <20211118143547.2045554-1-berrange@redhat.com> References: <20211118143547.2045554-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , "Richard W.M. Jones" , qemu-block@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1637246341783100001 When support for sha256 fingerprint checking was aded in commit bf783261f0aee6e81af3916bff7606d71ccdc153 Author: Daniel P. Berrang=C3=A9 Date: Tue Jun 22 12:51:56 2021 +0100 block/ssh: add support for sha256 host key fingerprints it was only made to work with -blockdev. Getting it working with -drive requires some extra custom parsing. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Hanna Reitz --- block/ssh.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/block/ssh.c b/block/ssh.c index e0fbb4934b..fcc0ab765a 100644 --- a/block/ssh.c +++ b/block/ssh.c @@ -556,6 +556,11 @@ static bool ssh_process_legacy_options(QDict *output_o= pts, qdict_put_str(output_opts, "host-key-check.type", "sha1"); qdict_put_str(output_opts, "host-key-check.hash", &host_key_check[5]); + } else if (strncmp(host_key_check, "sha256:", 7) =3D=3D 0) { + qdict_put_str(output_opts, "host-key-check.mode", "hash"); + qdict_put_str(output_opts, "host-key-check.type", "sha256"); + qdict_put_str(output_opts, "host-key-check.hash", + &host_key_check[7]); } else if (strcmp(host_key_check, "yes") =3D=3D 0) { qdict_put_str(output_opts, "host-key-check.mode", "known_hosts= "); } else { --=20 2.31.1 From nobody Sat May 18 19:24:34 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1637246377108903.6800847502689; Thu, 18 Nov 2021 06:39:37 -0800 (PST) Received: from localhost ([::1]:41292 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mniZc-0002VW-6m for importer@patchew.org; Thu, 18 Nov 2021 09:39:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46960) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWP-0004qc-IM for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:17 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:30078) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mniWN-0004mq-T2 for qemu-devel@nongnu.org; Thu, 18 Nov 2021 09:36:17 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-436-7KSAYSxrMKeCjGVMI_ByUg-1; Thu, 18 Nov 2021 09:36:13 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 000851B2C981; Thu, 18 Nov 2021 14:36:12 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.33.36.247]) by smtp.corp.redhat.com (Postfix) with ESMTP id 86D7C179B3; Thu, 18 Nov 2021 14:36:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637246175; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RLvn5axLfKncylepktKIonBhDChuf9AdJ2wVIfSEnAM=; b=a1z81l5+CJg8Ovfnf9Pm/D6rEZSt6O1HPtbzL6WXHc6EdEN33okbDGv763zPsewr2XLlJS vswDStlghRXxihYzKy5qxCpnoUNmUxobHFlVCG4zlIGieMkTkCQBBuIsrMNnWEWXiJL6hY o6V+P/xuDa3Jpx5zqyww9x3bTPqGp7c= X-MC-Unique: 7KSAYSxrMKeCjGVMI_ByUg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PATCH 3/3] block: print the server key type and fingerprint on failure Date: Thu, 18 Nov 2021 14:35:47 +0000 Message-Id: <20211118143547.2045554-4-berrange@redhat.com> In-Reply-To: <20211118143547.2045554-1-berrange@redhat.com> References: <20211118143547.2045554-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , Hanna Reitz , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , "Richard W.M. Jones" , qemu-block@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1637246378013100001 When validating the server key fingerprint fails, it is difficult for the user to know what they got wrong. The fingerprint accepted by QEMU is received in a different format than openssh displays. There can also be keys for multiple different ciphers in known_hosts. It may not be obvious which cipher QEMU will use and whether it will be the same as openssh. Address this by printing the server key type and its corresponding fingerprint in the format QEMU accepts. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Hanna Reitz Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- block/ssh.c | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/block/ssh.c b/block/ssh.c index fcc0ab765a..967a2b971e 100644 --- a/block/ssh.c +++ b/block/ssh.c @@ -386,14 +386,28 @@ static int compare_fingerprint(const unsigned char *f= ingerprint, size_t len, return *host_key_check - '\0'; } =20 +static char *format_fingerprint(const unsigned char *fingerprint, size_t l= en) +{ + static const char *hex =3D "0123456789abcdef"; + char *ret =3D g_new0(char, (len * 2) + 1); + for (size_t i =3D 0; i < len; i++) { + ret[i * 2] =3D hex[((fingerprint[i] >> 4) & 0xf)]; + ret[(i * 2) + 1] =3D hex[(fingerprint[i] & 0xf)]; + } + ret[len * 2] =3D '\0'; + return ret; +} + static int check_host_key_hash(BDRVSSHState *s, const char *hash, - enum ssh_publickey_hash_type type, Error **errp) + enum ssh_publickey_hash_type type, const char *typestr, + Error **errp) { int r; ssh_key pubkey; unsigned char *server_hash; size_t server_hash_len; + const char *keytype; =20 r =3D ssh_get_server_publickey(s->session, &pubkey); if (r !=3D SSH_OK) { @@ -401,6 +415,8 @@ check_host_key_hash(BDRVSSHState *s, const char *hash, return -EINVAL; } =20 + keytype =3D ssh_key_type_to_char(ssh_key_type(pubkey)); + r =3D ssh_get_publickey_hash(pubkey, type, &server_hash, &server_hash_= len); ssh_key_free(pubkey); if (r !=3D 0) { @@ -410,12 +426,16 @@ check_host_key_hash(BDRVSSHState *s, const char *hash, } =20 r =3D compare_fingerprint(server_hash, server_hash_len, hash); - ssh_clean_pubkey_hash(&server_hash); if (r !=3D 0) { - error_setg(errp, "remote host key does not match host_key_check '%= s'", - hash); + g_autofree char *server_fp =3D format_fingerprint(server_hash, + server_hash_len); + error_setg(errp, "remote host %s key fingerprint '%s:%s' " + "does not match host_key_check '%s:%s'", + keytype, typestr, server_fp, typestr, hash); + ssh_clean_pubkey_hash(&server_hash); return -EPERM; } + ssh_clean_pubkey_hash(&server_hash); =20 return 0; } @@ -436,13 +456,16 @@ static int check_host_key(BDRVSSHState *s, SshHostKey= Check *hkc, Error **errp) case SSH_HOST_KEY_CHECK_MODE_HASH: if (hkc->u.hash.type =3D=3D SSH_HOST_KEY_CHECK_HASH_TYPE_MD5) { return check_host_key_hash(s, hkc->u.hash.hash, - SSH_PUBLICKEY_HASH_MD5, errp); + SSH_PUBLICKEY_HASH_MD5, "md5", + errp); } else if (hkc->u.hash.type =3D=3D SSH_HOST_KEY_CHECK_HASH_TYPE_SH= A1) { return check_host_key_hash(s, hkc->u.hash.hash, - SSH_PUBLICKEY_HASH_SHA1, errp); + SSH_PUBLICKEY_HASH_SHA1, "sha1", + errp); } else if (hkc->u.hash.type =3D=3D SSH_HOST_KEY_CHECK_HASH_TYPE_SH= A256) { return check_host_key_hash(s, hkc->u.hash.hash, - SSH_PUBLICKEY_HASH_SHA256, errp); + SSH_PUBLICKEY_HASH_SHA256, "sha256", + errp); } g_assert_not_reached(); break; --=20 2.31.1