On 05/31/2018 04:42 PM, Stefan Krusche wrote:
> Am Donnerstag 31 Mai 2018 schrieb Stefan Krusche:
>> Good day everyone,
>>
>> while starting the devuan installer from
>> devuan_ascii_2.0.0-rc_amd64_netinst.iso and initiating to continue with ssh
>> remote install (in graphic expert install mode) the installer showed its
>> fingerprint as SHA256:xxx, which was new to me. It used to be an RSA key
>> fingerprint.
>>
>> Problem: when I try to connect from my other machine which is a devuan
>> jessie system to the one I'm gonna set up:
>> ssh installer@192.168.19.3
>> ssh still shows an RSA fingerprint from the installer, so I don't know how
>> to verify it (which was easy with the jessie installer just by looking).
>>
>> Not that I don't trust my own computer here but I'd like to know if I need
>> a more recent version of ssh or if there's a way to get a visual match or
>> something. Found nothing about SHA256 host keys in man ssh.
>>
>> Can anyone clarify about this to me, please?
>>
>
> So, I just found this:
> https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se#929567
> according to which fingerprint of the sshd server defaults to SHA256 from some
> version on and I'd expect it to be sent as such to the client.
>
> My older version can't seem to process option "-o FingerprintHash=sha" as
> suggested in the posting on superuser.com to get the SHA256 key fingerprint
> which is shown on the screen of the installer.
Minimum version to see the SHA256 checksum of the key is (according to
the openssh changelog) 6.8/6.8p1 (2015-03-18). Looks like Jessie is 6.7p1.
>
> Now, I don't know if the RSA key fingerprint of the sshd server of the
> installer, which my ssh client shows, is sent that way from the server (should
> be so, right?) or my ssh client is to old and with a newer one it would show
> the SHA256 key fingerprint like on the installer screen. Maybe, the installer
> has to be configured to send SHA256 key fingerprint and it isn't?
Neither the server nor the client sends (or expects) a key with a
certain fingerpint hashing scheme -- it's done on the fly (you can see
this effect with the '-o FingerprintHash=' option of newer clients.