From e9dd22965ec7fbd99376e717e6d7895d23c0a74f Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Fri, 22 Jan 2021 18:13:23 -0700
Subject: [PATCH] keyinfo: update ssh-keygen info to reflect current versions

Since OpenSSH 6.8p1 (released 2015-03-18), the default fingerprint
shown for public keys has been changed and a new option (-E) added
to select the fingerprint being used.

Go ahead and mention the needed option and argument (-E md5) in
order to make ssh-keygen show the same fingerprint that reguser.cgi
and edituser.cgi do.

While it's certainly possible that clients are using a version of
OpenSSH prior to 6.8p1, don't bother trying to point out that the
`-E` option and argument should be omitted with such older versions.

Older less secure SSH protocols are being phased out and at least
OpenSSH version 7.2p1 is required in order to have support for the
newer "rsa-sha2-256" public key algorithm (see RFC 8332).  Since
the `-E` option was added as of OpenSSH version 6.8p1, if support
for the newer more secure protocols is available, then so too will
be support for the `-E` option.

In any case, attempting to use the `-E` option with a pre-6.8p1
version of OpenSSH will conveniently show an "illegal option" message
and a list of allowed options.

The excessive clutter of trying to explain all that concisely in the
various places the "ssh-keygen -l" text appears can therefore be
avoided with very little impact.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
---
 Girocco/SSHUtil.pm  | 2 +-
 cgi/edituser.cgi    | 4 ++--
 cgi/reguser.cgi     | 2 +-
 toolbox/usertool.pl | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Girocco/SSHUtil.pm b/Girocco/SSHUtil.pm
index f3849c8..8c468d3 100644
--- a/Girocco/SSHUtil.pm
+++ b/Girocco/SSHUtil.pm
@@ -82,7 +82,7 @@ sub _countbits($)
 #     array of 4 elements:
 #       key type (either 'ssh-dss' or 'ssh-rsa')
 #       key size (integer such as 1024, 2048, 3072, 4096 etc.)
-#       key fingerprint (string as shown by ssh-keygen -l)
+#       key fingerprint (string as shown by ssh-keygen -l -E md5)
 #       key comment (may be '' if none)
 sub sshpub_validate($)
 {
diff --git a/cgi/edituser.cgi b/cgi/edituser.cgi
index 729c50a..d303edb 100755
--- a/cgi/edituser.cgi
+++ b/cgi/edituser.cgi
@@ -129,7 +129,7 @@ EOT
 					print <<EOT;
 
 <div id="keys"><p>The following keys have been registered for user $name as
-shown below along with their <tt>ssh-keygen -l</tt> fingerprint:</p>
+shown below along with their <tt>ssh-keygen -l -E md5</tt> fingerprint:</p>
 $keylist</div>
 EOT
 				}
@@ -191,7 +191,7 @@ EOT
 			print <<EOT;
 
 <div id="keys"><p>The following keys are currently registered for user $name as
-shown below along with their <tt>ssh-keygen -l</tt> fingerprint:</p>
+shown below along with their <tt>ssh-keygen -l -E md5</tt> fingerprint:</p>
 $keylist</div>
 EOT
 		}
diff --git a/cgi/reguser.cgi b/cgi/reguser.cgi
index bffbdc5..81d91b4 100755
--- a/cgi/reguser.cgi
+++ b/cgi/reguser.cgi
@@ -49,7 +49,7 @@ if ($cgi->param('name') && $y0 eq 'Register' && $cgi->request_method eq 'POST')
 				$keysdiv = <<EOT;
 
 <div id="keys"><p>The following keys have been registered for user $name as
-shown below along with their <tt>ssh-keygen -l</tt> fingerprint:</p>
+shown below along with their <tt>ssh-keygen -l -E md5</tt> fingerprint:</p>
 $keylist</div>
 EOT
 			}
diff --git a/toolbox/usertool.pl b/toolbox/usertool.pl
index 03543ca..43322bd 100755
--- a/toolbox/usertool.pl
+++ b/toolbox/usertool.pl
@@ -97,7 +97,7 @@ sub die_usage {
 #   [1] = type either "RSA" or "DSA"
 #   [2] = number of bits in key
 #   [3] = key comment (nickname)
-#   [4] = md5 key fingerprint as shown by ssh-keygen -l
+#   [4] = md5 key fingerprint as shown by ssh-keygen -l -E md5
 #   [5] = raw public key line (starting with ssh-... and with comment but no \n)
 sub key_info_list {
 	my $data = shift;
-- 
2.11.4.GIT