Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch debug logging in client.py to use key.fingerprint #2287

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Switch debug logging in client.py to use key.fingerprint #2287

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3a3e88c
Switch debug logging to use .fingerprint
bskinn Aug 22, 2023
480cc1d
Remove hexlify() calls since .fingerprint is str
bskinn Aug 22, 2023
a26f287
Add CHANGELOG entry
bskinn Aug 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 6 additions & 9 deletions paramiko/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
SSH client & key policies
"""

from binascii import hexlify
import getpass
import inspect
import os
Expand Down Expand Up @@ -640,7 +639,7 @@ def _key_from_filepath(self, filename, klass, password):
# when #387 is released, since this is a critical log message users are
# likely testing/filtering for (bah.)
msg = "Trying discovered key {} in {}".format(
hexlify(key.get_fingerprint()), key_path
key.fingerprint, key_path
)
self._log(DEBUG, msg)
# Attempt to load cert if it exists.
Expand Down Expand Up @@ -708,9 +707,7 @@ def _auth(
try:
self._log(
DEBUG,
"Trying SSH key {}".format(
hexlify(pkey.get_fingerprint())
),
"Trying SSH key {}".format(pkey.fingerprint),
)
allowed_types = set(
self._transport.auth_publickey(username, pkey)
Expand Down Expand Up @@ -746,7 +743,7 @@ def _auth(

for key in self._agent.get_keys():
try:
id_ = hexlify(key.get_fingerprint())
id_ = key.fingerprint
self._log(DEBUG, "Trying SSH agent key {}".format(id_))
# for 2-factor auth a successfully auth'd key password
# will return an allowed 2fac auth method
Expand Down Expand Up @@ -856,7 +853,7 @@ def missing_host_key(self, client, hostname, key):
client._log(
DEBUG,
"Adding {} host key for {}: {}".format(
key.get_name(), hostname, hexlify(key.get_fingerprint())
key.get_name(), hostname, key.fingerprint
),
)

Expand All @@ -871,7 +868,7 @@ def missing_host_key(self, client, hostname, key):
client._log(
DEBUG,
"Rejecting {} host key for {}: {}".format(
key.get_name(), hostname, hexlify(key.get_fingerprint())
key.get_name(), hostname, key.fingerprint
),
)
raise SSHException(
Expand All @@ -888,6 +885,6 @@ class WarningPolicy(MissingHostKeyPolicy):
def missing_host_key(self, client, hostname, key):
warnings.warn(
"Unknown {} host key for {}: {}".format(
key.get_name(), hostname, hexlify(key.get_fingerprint())
key.get_name(), hostname, key.fingerprint
)
)
7 changes: 7 additions & 0 deletions sites/www/changelog.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@
Changelog
=========

- :support:`2287` (solves part of :issue:`396`) The switch to use SHA256 hashing
via the `PKey.fingerprint` property only partially resolved the FIPS
compatibility challenges: some residual usage in debug logging within key
logic flows of `PKey.get_fingerprint()`, which still uses MD5, continued to
cause problems. These instances of debug logging now use the SHA256-using
`PKey.fingerprint`.

- :release:`3.3.1 <2023-07-28>`
- :bug:`-` Cleaned up some very old root level files, mostly just to exercise
some of our doc build and release machinery. This changelog entry
Expand Down