From fdaddd910e97a67815d7298ae2485fcc5d90e0e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 23 Jun 2021 10:46:48 +0100 Subject: [PATCH] rpc: prefer SHA256 host key fingerprint with new libssh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The host key fingerprint for SSH servers is used in a scenario where cryptographic strength is important. We should thus be defaulting to use of SHA256 where available. We only need SHA1 for Ubuntu 18.04 which does not have libssh >= 0.8.1 Reviewed-by: Pavel Hrdina Signed-off-by: Daniel P. Berrangé --- src/rpc/virnetlibsshsession.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/rpc/virnetlibsshsession.c b/src/rpc/virnetlibsshsession.c index 50ace5f41d..22d54c99be 100644 --- a/src/rpc/virnetlibsshsession.c +++ b/src/rpc/virnetlibsshsession.c @@ -39,6 +39,12 @@ VIR_LOG_INIT("rpc.netlibsshsession"); #define VIR_NET_LIBSSH_BUFFER_SIZE 1024 +#if LIBSSH_VERSION_INT < SSH_VERSION_INT(0, 8, 1) +# define VIR_SSH_HOSTKEY_HASH SSH_PUBLICKEY_HASH_SHA1 +#else +# define VIR_SSH_HOSTKEY_HASH SSH_PUBLICKEY_HASH_SHA256 +#endif + /* TRACE_LIBSSH= enables tracing in libssh itself. * The meaning of is described here: * https://api.libssh.org/master/group__libssh__log.html @@ -203,9 +209,10 @@ virLibsshServerKeyAsString(virNetLibsshSession *sess) return NULL; } - /* calculate remote key hash, using SHA1 algorithm that is - * usual in OpenSSH. The returned value must be freed */ - ret = ssh_get_publickey_hash(key, SSH_PUBLICKEY_HASH_SHA1, + /* calculate remote key hash, using SHA256 algorithm that is + * the default in modern OpenSSH, fallback to SHA1 for older + * libssh. The returned value must be freed */ + ret = ssh_get_publickey_hash(key, VIR_SSH_HOSTKEY_HASH, &keyhash, &keyhashlen); ssh_key_free(key); if (ret < 0) {