Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch debug logging in client.py to use key.fingerprint #2287

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Switch debug logging in client.py to use key.fingerprint #2287

wants to merge 3 commits into from

Conversation

bskinn
Copy link
Contributor

@bskinn bskinn commented Aug 22, 2023

Per #396, FIPS mode rejects .get_fingerprint() because it uses MD5.

The .fingerprint property uses SHA256, which is FIPS-compatible.

This addresses the latest FIPS problem reported in #396. We'll see if it solves all the FIPS problems.

@bskinn
Switch debug logging to use .fingerprint
3a3e88c 
Per paramiko#396, FIPS mode rejects .get_fingerprint() because it
uses MD5.

The .fingerprint property uses SHA256, which is FIPS-compatible.
@bskinn bskinn mentioned this pull request Aug 22, 2023
Open
@bskinn
Copy link
Contributor Author

bskinn commented Aug 22, 2023

@gubenkoved, can you test with my fork branch to see if this clears the path for FIPS?

@gubenkoved
Copy link

Hi @bskinn -- I've tested using this branch under FIPS-enabled OpenSSL, it seems to work!

root@170468b0597c:~# python3
Python 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko
>>> client = paramiko.client.SSHClient()
>>> client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
>>> client.connect('10.29.24.3', username='admin', password='admin')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.10/dist-packages/paramiko/client.py", line 460, in connect
    self._policy.missing_host_key(
  File "/usr/local/lib/python3.10/dist-packages/paramiko/client.py", line 859, in missing_host_key
    key.get_name(), hostname, hexlify(key.get_fingerprint())
  File "/usr/local/lib/python3.10/dist-packages/paramiko/pkey.py", line 344, in get_fingerprint
    return md5(self.asbytes()).digest()
ValueError: [digital envelope routines] unsupported
...
root@170468b0597c:~# python3 -m pip install git+https://github.com/bskinn/paramiko.git@396-upgrade-log-fingerprints
root@170468b0597c:~# python3
Python 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import paramiko
>>> client = paramiko.client.SSHClient()
>>> client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
>>> client.connect('10.29.24.3', username='admin', password='admin')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Low-hanging fruit Ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bskinn @gubenkoved