ssh_authkey_fingerprints must use sha256 not md5

Bug #1860789 reported by Dimitri John Ledkov
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
cloud-init (Ubuntu)
Fix Released
Ryan Harper

Bug Description

ssh_authkey_fingerprints must use sha256sum not md5

on focal and up.

or maybe you should show both, becuase old ssh clients might only show md5 checksums, and like ssh clients on Windows, etc.

If you switch to show both, it then can be backported to all stable releases, as md5 is no longer secure for this purpose.

CVE References

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

ssh-add manpage has

     -E fingerprint_hash
             Specifies the hash algorithm used when displaying key fingerprints. Valid options are: “md5” and “sha256”. The default is “sha256”.

summary: - ssh_authkey_fingerprints must use sha256sum not md5
+ ssh_authkey_fingerprints must use sha256 not md5
Revision history for this message
Ryan Harper (raharper) wrote :
Revision history for this message
Dan Watkins (oddbloke) wrote :
Changed in cloud-init (Ubuntu):
status: New → Fix Committed
assignee: nobody → Ryan Harper (raharper)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 19.4-56-g06e324ff-0ubuntu1

cloud-init (19.4-56-g06e324ff-0ubuntu1) focal; urgency=medium

  * New upstream snapshot.
    - sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
      [Robert Schweikert] (LP: #1800854)
    - cloudinit: replace "from six import X" imports (except in (#183)
    - run-container: use 'test -n' instead of 'test ! -z' (#202)
      [Paride Legovini]
    - net/cmdline: correctly handle static ip= config (#201)
      [Dimitri John Ledkov] (LP: #1861412)
    - Replace mock library with unittest.mock (#186)
    - HACKING.rst: update CLA link (#199)
    - Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
      [Louis Bouchard]
    - cloudinit/cmd/devel/ add missing space (#191)
    - tools/run-container: drop support for python2 (#192) [Paride Legovini]
    - Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
    - Make the RPM build use Python 3 (#190) [Paride Legovini]
    - cc_set_password: increase random pwlength from 9 to 20 (#189)
      (LP: #1860795) (CVE-2020-8632)
    - .travis.yml: use correct Python version for xenial tests (#185)
    - cloudinit: remove ImportError handling for mock imports (#182)
    - Do not use fallocate in swap file creation on xfs. (#70)
      [Eduardo Otubo] (LP: #1781781)
    - .readthedocs.yaml: install cloud-init when building docs (#181)
      (LP: #1860450)
    - Introduce an RTD config file, and pin the Sphinx version to the RTD
      default (#180)
    - Drop most of the remaining use of six (#179)
    - Start removing dependency on six (#178)
    - Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
    - docs: add proposed SRU testing procedure (#167)
    - util: rename get_architecture to get_dpkg_architecture (#173)
    - Ensure util.get_architecture() runs only once (#172)

 -- Chad Smith <email address hidden> Wed, 05 Feb 2020 13:56:17 -0700

Changed in cloud-init (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Dan Watkins (oddbloke) wrote : Fixed in cloud-init version 20.1.

This bug is believed to be fixed in cloud-init in version 20.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers