Sunday, March 31, 2019

Re: ssh-keygen(1) fingerprint hashes

On 2019-03-31, randy.hartman@gmail.com <randy.hartman@gmail.com> wrote:

> ssh-keygen's available hashes are md5, sha1, sha256, sha384, and
> sha512 (See digest-{openssl,libc}.c). ssh-keygen(1)'s man page
> shows valid fingerprint hashes as only md5 and sha256. All these
> hashes[1] were available when the man page declared only the subset
> as valid. I'm able to use the others with the -E option but is
> there a reason to not consider them valid?

It's an implementation artifact and the other hash algorithms don't
add any value.

MD5 hashes were historically used, but MD5 is broken. SHA256 is
the modern replacement for this purpose.

--
Christian "naddy" Weisgerber naddy@mips.inka.de

No comments:

Post a Comment