From: Andrew Schulman <schulman.andrew@epa.gov>
To: cygwin-apps@cygwin.com
Subject: Re: cygport upload: patch for openssh 6.8p1
Date: Sat, 30 May 2015 21:22:00 -0000 [thread overview]
Message-ID: <j5akmatr5evakc8raip10v3avvhsjvcedr@4ax.com> (raw)
In-Reply-To: <1432929978.7892.19.camel@cygwin.com>
[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]
> On Sun, 2015-05-24 at 12:32 -0400, Andrew Schulman wrote:
> > Since the latest update to openssh, ssh-keygen's output format for key
> > fingerprints has changed. The default hash algorithm is now base64-encoded
> > SHA256 instead of MD5, and the hash name precedes its value, like
> >
> > SHA256:lvRrjAXmEhzDp5kQqzelsei8s5hXJ+zLaqJ2yiGXmYc
> >
> > This breaks the current logic for detecting key fingerprints in cygport's
> > lib/pkg_upload.cygpart. The attached patch fixes the problem. (You might know
> > a more precise regex for the base64-encoded hash value than I do. I couldn't
> > find any documentation of it anywhere, and just settled for
> >
> > SHA256:.{44}
>
> There's another problem: this is new to 6.8; any out-of-date Cygwin
> systems, or even current RHEL or Fedora 21 systems, won't have this, nor
> do they support the -E flag which could be used to specify md5.
>
> Any thoughts on a better regex or on keeping compatibility with other
> systems?
Right, OK. See the attached revised patch, which uses
[0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44}
to detect the key fingerprint. The left side is the same as now, for pre-6.8
systems, which use MD5 without a label. The right side is for version 6.8 and
later, where the default is SHA256 with the label 'SHA256:' prepended. So this
should cover all cases.
Andrew
[-- Attachment #2: pkg_upload_key_fingerprint.patch --]
[-- Type: application/octet-stream, Size: 666 bytes --]
--- lib/pkg_upload.cygpart 2015-03-23 02:05:43.493625000 -0400
+++ lib/pkg_upload.cygpart 2015-05-24 12:15:31.969700900 -0400
@@ -74,7 +74,7 @@
if ssh-add -l >/dev/null 2>/dev/null
then
# ssh-agent is already running. Get key fingerprint:
- key_fingerprint=$(ssh-keygen -l -f "$SSH_KEY" | egrep -o '[0-9a-f]{2}(:[0-9a-f]{2}){15}') \
+ key_fingerprint=$(ssh-keygen -l -f "$SSH_KEY" | egrep -o '[0-9a-f]{2}(:[0-9a-f]{2}){15}|SHA256:.{44}') \
|| error "Can't read key fingerprint of ${SSH_KEY}. Not a private key file, or corresponding public key file is missing?"
# Load key into ssh-agent, if it's not already loaded (prompts for passphrase):
next prev parent reply other threads:[~2015-05-30 21:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-24 16:32 Andrew Schulman
2015-05-29 20:06 ` Yaakov Selkowitz
2015-05-30 21:22 ` Andrew Schulman [this message]
2015-06-01 8:04 ` Andrew Schulman
2015-06-03 4:23 ` Yaakov Selkowitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=j5akmatr5evakc8raip10v3avvhsjvcedr@4ax.com \
--to=schulman.andrew@epa.gov \
--cc=cygwin-apps@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).