-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request - ssh public key fingerprints #12132
Comments
I'm not familiar with the exact format of SSH public key fingerprints, but in general if they're a hash of some serialization of the key, then you need to compute the serialization. Several key types, e.g. RSA, do not have a "raw bytes" notion at all. |
thank you for your reply. By fingerprint what is meant is the md5 or sha256 hash of the base64 decoded bytes. What you get from command as: cryptography could provide this, as a convenience to the user, by hashing the memoryview passed into the
By, "raw bytes", am referring to formats such as those defined in RFC4523 and implemented in the serialization/ssh.py module The "ssh-rsa" key format has the following specific encoding:
|
Ok. I think it'd be reasonable to add an API to the ssh module that returns
the fingerprint -- this should be able to reuse the existing key
serialization logic from `encode_public`.
Would you be interested in submitting a PR for this?
…On Thu, Dec 12, 2024 at 9:45 AM user3472g ***@***.***> wrote:
thank you for your reply.
By fingerprint what is meant is the md5 or sha256 hash of the base64
decoded bytes. What you get from command as: ssh-keygen -lf
/path/to/key.pub or ssh-keygen -l -E md5 -f /path/to/key.pub for md5.
cryptography could provide this, as a convenience to the user, by hashing
the memoryview passed into the load_public calls in the various private *SSHFormat
classes and making the hash value available in the class returned from
load_ssh_public* calls.
Alternatively, the user could get back to the original "raw" key bytes by
using the "encode_public" methods and prepending the key type and length original
= b'\x07ssh-rsa' + key.encode_public() which they could then hash
themselves, if the user had access to the encode_public methods.
—
Reply to this email directly, view it on GitHub
<#12132 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBGKI4KB6BF5P4FAEJT2FGOSPAVCNFSM6AAAAABTODHQ7WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZZGE2TMMRYGU>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
Perhaps the feature is there but I cannot find it.
Is there a way to obtain the md5 or sha256 fingerprint of a public key?
With ed25519 it can be done as:
hashlib.md5(key.public_bytes_raw()).hexdigest()
Other format do not support Raw encoding.
Seems wasteful to have to base64 or DER decode the key bytes, again, to get the raw bytes for hashing.
thank you
The text was updated successfully, but these errors were encountered: