Removed support for hmac-md5 and truncated hmac-sha1 #688
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
Failing test appears to be a known one. |
Member
|
Dropping this in 3.0 mostly because I've been telling folks 2.0 will remain API/behavior compatible. As noted elsewhere 3.0 will still go out in the nearish future :) thanks! |
These are being removed from OpenSSH as well: openssh/openssh-portable@714e367
openstack-mirroring
pushed a commit
to openstack/networking-generic-switch
that referenced
this pull request
Mar 5, 2025
In order for n-g-s to be able to run on a node in FIPS enforcing mode, it *must* not use md5. However, paramiko's code has a get_fingerprint call where it is fingerprinting data for the exchange to identify a difference, which can use any algorithm realistically. Anyhow, this is necessary because it appears that paramiko's maintainer is not really interested in fixing the md5 usage. As a result, we're forced to monkeypatch paramiko, which is loaded by netmiko, which is what NGS uses. This should be fixed in paramiko, but also it seems several changes been proposed without forward movement. https: //github.com/paramiko/paramiko/pull/688 https: //github.com/paramiko/paramiko/pull/1103 https: //github.com/paramiko/paramiko/pull/2189 https: //github.com/paramiko/paramiko/pull/2496 https: //github.com/paramiko/paramiko/issues/2383 https: //github.com/paramiko/paramiko/issues/396 Related-Bug: 2098819 Change-Id: Ia3fb9d2baa14be1726197d1115e92adc9ce5ce0a
openstack-mirroring
pushed a commit
to openstack/openstack
that referenced
this pull request
Mar 5, 2025
* Update networking-generic-switch from branch 'master'
to b351b9136d569b02c8b94df3e52fdd10038df3c4
- Merge "don't use paramiko's get_fingerprint (md5)"
- don't use paramiko's get_fingerprint (md5)
In order for n-g-s to be able to run on a node in FIPS enforcing mode,
it *must* not use md5. However, paramiko's code has a get_fingerprint
call where it is fingerprinting data for the exchange to identify
a difference, which can use any algorithm realistically.
Anyhow, this is necessary because it appears that paramiko's maintainer
is not really interested in fixing the md5 usage. As a result, we're
forced to monkeypatch paramiko, which is loaded by netmiko, which is
what NGS uses.
This should be fixed in paramiko, but also it seems several changes
been proposed without forward movement.
https: //github.com/paramiko/paramiko/pull/688
https: //github.com/paramiko/paramiko/pull/1103
https: //github.com/paramiko/paramiko/pull/2189
https: //github.com/paramiko/paramiko/pull/2496
https: //github.com/paramiko/paramiko/issues/2383
https: //github.com/paramiko/paramiko/issues/396
Related-Bug: 2098819
Change-Id: Ia3fb9d2baa14be1726197d1115e92adc9ce5ce0a
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These are being removed from OpenSSH as well: openssh/openssh-portable@714e367