Bug 7642 - Wrong host key fingerprint shown for certificates
Summary: Wrong host key fingerprint shown for certificates
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks: 7641
  Show dependency treegraph
 
Reported: 2021-02-10 12:58 CET by Pierre Ossman
Modified: 2021-06-08 13:45 CEST (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2021-02-10 12:58:08 CET 
When a certificate host key is used (instead of a simple host key), the fingerprint shown by ThinLinc is not the same as the fingerprint shown by OpenSSH. This can be very confusing for users and makes it difficult to verify that the correct key is used.

The reason for the difference is that OpenSSH does not generate the fingerprint from the certificate host key directly. For certificates it first converts them to a simple host key, and then shows the fingerprint of that.

This unfortunately means we need to know which key types are certificate, and what their internal structure looks like. It also means that two keys can have the same fingerprint, even if one is a certificate and one is a plain key.
Comment 2 Pierre Ossman cendio 2021-06-08 13:45:38 CEST 
This currently works again because we automatically downgrade certificate host keys right now (see bug 7643).

However if we want to properly support them in the future, then this bug needs to be fixed as well.
Note You need to log in before you can comment on or make changes to this bug.