New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show MD5 Hash of Fingerprint in Verbose Output #102
Comments
I probably should have explained my use case for this a bit better... When I work on projects that use an SSH component, I often need to analyse and review logs from a live environment. As part of this analysis, it's useful to be able to check the fingerprint returned by a client tool against an audit of the server that it's connecting to. I'm not advocating the use of PuTTY client tools ( |
Sure, we can include the MD5 hash for verbose output.
|
@jtesta - Although Therefore I'd like to have a single source of truth for all the fingerprint hash types that In my proof of concept, I'm using the fingerprint_hash_types_all = [elem for elem in dir(Fingerprint) if not elem.startswith('__')] This works nicely in my proof of concept but my I'm a bit concerned that this would break if in the future someone adds a new member to the To avoid this problem, can you think of any way to tag members of the I'm open to options if you have a better suggestions... |
@jtesta Please can you review PR #104. This PR adds the ability to specify hash types that should appear in verbose output. This is achieved by adding the hash type to the Below are some example usages where Verbose output:
Verbose output as JSON:NB: In the example below I've placed each fingerprint object on a separate line to make it easier to read.
Batch output (batch output implicitly enables verbose output):
|
@jtesta For some reason Travis CI didn't seem to add any feedback to the PR. There was one thing in the PR that I was not entirely happy with... |
@jtesta Sorry to chase, I just wondered if you've had a chance to review the PR? |
@thecliguy Thanks for the ping. I needed a push to prioritize this again. After looking over your PR, if I'm understanding your goals correctly, it seems like it can be done with a simpler patch. See the I opted to leave the output format of the fingerprints section the same, since it keeps the important information outside of comments. Besides this, does my patch do what you were hoping for? |
Hi @jtesta Thanks for looking into this, please see my feedback... Hardcoded Logic Around MD5I think hardcoding conditional logic around What I was trying to do is make it easy to control which algorithms appear in the verbose output. So let's say in the future there's a desire to add support for additional hashing algorithms and you want them to appear in verbose output only, then all you need to do is update JSON Property Name ChangesThere's a breaking change in your code because you've updated some json property names:
I think it's important to tread carefully here... When a tool provides a structured data format like json, users expect this to be a safe way to parse output. If anyone has written code that parses the json output, it may not work once those property names have changed. So if you do go ahead and change the property names, I'd suggest noting this as a breaking change in the next release. Text ColourThere's a convention in ssh-audit that red text indicates something undesirable... I don't think that MD5 fingerprints should appear in red, I think white text would be more appropriate. |
I'm doubtful that another standard fingerprint format will be coming any time soon. But if it does, I'd be happy to cross that bridge later. In the meantime, I'm a fan of not over-engineering the code.
Yep, that was my plan!
Using MD5 fingerprints is indeed undesirable. But perhaps I can make note of that in a comment. Thanks for the feedback! |
I didn't argue my point about the text colour very well... Red text ought to be reserved specifically for undesirable configuration where the user should take action to fix it. Whilst I agree that using MD5 hashing is not desirable these days it's presence on an ssh-audit report is not highlighting a defect with the target server that needs to be addressed by the user. It's just an additional piece of information that will appear even on a perfectly configured server. |
I feel quite strongly that we should not dilute the significance of red text. A target server that doesn't exhibit any issues that need investigation by the user shouldn't contain any output in red text. |
Ok. Please have a look at 0786248. I made it output the MD5 hash in white instead of red. |
Looks good to me, thanks for you persistence 👍 |
Great! Thanks for the help!! |
When when verifying host keys, PuTTY, plink and psftp use an
md5
hash rather than asha256
hash.plink 0.74 - Example Output (click to expand):
Currently
ssh-audit
only shows fingerprints in the form of asha256
hash. Do you have any objection to also showing themd5
hash if the verbose (-v
/--verbose
) parameter has been provided?I've built a proof-of-concept that I can share.
By the way, the
Fingerprint
class is already capable of producing anmd5
hash, it's just not currently used:ssh-audit/src/ssh_audit/fingerprint.py
Lines 33 to 37 in 2f1a2a6
The text was updated successfully, but these errors were encountered: