-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable FIPS compatibility for python 3.9+ #2189
base: main
Are you sure you want to change the base?
Conversation
The same pull #1928 has been requested. |
8c99aca
to
c598539
Compare
Changes in this PR do not change functionality and it should be harmless to merge. Could we have the fix merged before evaluating the other related PR (#1928) that might bring many changes? |
Perhaps so, but that's not the only consideration. Are there any non-FIPS circumstances where it might be desirable for the If so, then at least some discussion seems worthwhile as to whether |
@bskinn luckily no, the usage of md5 in the code is to calculate the fingerprint of the public key which is not a security issue as it is not hashing passwords or secrets but the public key and always that, so adding
https://docs.python.org/3/library/hashlib.html#hash-algorithms |
Ah, ok -- makes sense. It would be good to document this explicitly, either with a code comment or a remark in the docstring. If there's a straightforward test that could be added, that'd be ideal too. This also calls for a CHANGELOG entry, I think. |
Hi! How are you? Can we help somehow to make this advance and merge it? We're deploying a fork of paramiko and it's not the best situation. Thank you! |
Flagging for consideration as part of the key/auth work on #387 |
I'd rather see the hash algorithm changed to some SHA-256 or SHA-512, since IMHO, hashing public keys is a security context, presumably because the caller would be making some decision based on the hash. So marking |
Starting from python 3.9, a keyword-only argument "usedforsecurity" is introduced in hashlib hashing algorithms.
In a FIPS environment MD5 algorithm can not be used in a security context.
This change sets this not security context for MD5 fingerprint.