[PATCH 1/3] block: better document SSH host key fingerprint checking

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/3] block: better document SSH host key fingerprint checking

From:	Daniel P . Berrangé
Subject:	[PATCH 1/3] block: better document SSH host key fingerprint checking
Date:	Thu, 18 Nov 2021 14:35:45 +0000

The docs still illustrate host key fingerprint checking using the old
md5 hashes which are considered insecure and obsolete. Change it to
illustrate using a sha256 hash. Also show how to extract the hash
value from the known_hosts file.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/system/qemu-block-drivers.rst.inc | 30 ++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/docs/system/qemu-block-drivers.rst.inc 
b/docs/system/qemu-block-drivers.rst.inc
index 16225710eb..2aeeaf6361 100644
--- a/docs/system/qemu-block-drivers.rst.inc
+++ b/docs/system/qemu-block-drivers.rst.inc
@@ -778,10 +778,32 @@ The optional *HOST_KEY_CHECK* parameter controls how the 
remote
 host's key is checked.  The default is ``yes`` which means to use
 the local ``.ssh/known_hosts`` file.  Setting this to ``no``
 turns off known-hosts checking.  Or you can check that the host key
-matches a specific fingerprint:
-``host_key_check=md5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8``
-(``sha1:`` can also be used as a prefix, but note that OpenSSH
-tools only use MD5 to print fingerprints).
+matches a specific fingerprint. The fingerprint can be provided in
+``md5``, ``sha1``, or ``sha256`` format, however, it is strongly
+recommended to only use ``sha256``, since the other options are
+considered insecure by modern standards. The fingerprint value
+must be given as a hex encoded string::
+
+  
host_key_check=sha256:04ce2ae89ff4295a6b9c4111640bdcb3297858ee55cb434d9dd88796e93aa795``
+
+The key string may optionally contain ":" separators between
+each pair of hex digits.
+
+The ``$HOME/.ssh/known_hosts`` file contains the base64 encoded
+host keys. These can be converted into the format needed for
+QEMU using a command such as::
+
+   $ for key in `grep 10.33.8.112 known_hosts | awk '{print $3}'`
+     do
+       echo $key | base64 -d | sha256sum
+     done
+     6c3aa525beda9dc83eadfbd7e5ba7d976ecb59575d1633c87cd06ed2ed6e366f  -
+     12214fd9ea5b408086f98ecccd9958609bd9ac7c0ea316734006bc7818b45dc8  -
+     d36420137bcbd101209ef70c3b15dc07362fbe0fa53c5b135eba6e6afa82f0ce  -
+
+Note that there can be multiple keys present per host, each with
+different key ciphers. Care is needed to pick the key fingerprint
+that matches the cipher QEMU will negotiate with the remote server.
 
 Currently authentication must be done using ssh-agent.  Other
 authentication methods may be supported in future.
-- 
2.31.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/3] block: misc fixes & improvements for SSH block driver key fingerprints, Daniel P . Berrangé, 2021/11/18
- [PATCH 1/3] block: better document SSH host key fingerprint checking, Daniel P . Berrangé <=
- [PATCH 2/3] block: support sha256 fingerprint with pre-blockdev options, Daniel P . Berrangé, 2021/11/18
- [PATCH 3/3] block: print the server key type and fingerprint on failure, Daniel P . Berrangé, 2021/11/18

Prev by Date: [PATCH 0/3] block: misc fixes & improvements for SSH block driver key fingerprints
Next by Date: [PATCH 2/3] block: support sha256 fingerprint with pre-blockdev options
Previous by thread: [PATCH 0/3] block: misc fixes & improvements for SSH block driver key fingerprints
Next by thread: [PATCH 2/3] block: support sha256 fingerprint with pre-blockdev options
Index(es):
- Date
- Thread