Created attachment 1651 [details] Suggested fix to always print out randomart based on MD5 If ssh-keygen is used with both the -B option (to print the bubblebabble digest of a key) and the -v option (which prints the randomart), then the randomart will be different than if the -B option was not used. Steps to reproduce: 1) Generate a key: <blockquote> # ssh-keygen -v -t rsa -b 2048 -f /tmp/garbage Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /tmp/garbage. Your public key has been saved in /tmp/garbage.pub. The key fingerprint is: eb:19:8d:76:9e:d8:ee:63:6a:3c:9f:19:d4:37:1c:cc user@hostname The key's randomart image is: +--[ RSA 2048]----+ | | | o | | E | | . . . | | S . . + | | = . . | | .= + | | o+Bo= | | .=BX. | +-----------------+ </blockquote> 2) Display the fingerprint with ssh-keygen: <blockquote> # ssh-keygen -v -l -f /tmp/garbage 2048 eb:19:8d:76:9e:d8:ee:63:6a:3c:9f:19:d4:37:1c:cc /tmp/garbage.pub (RSA) +--[ RSA 2048]----+ | | | o | | E | | . . . | | S . . + | | = . . | | .= + | | o+Bo= | | .=BX. | +-----------------+ </blockquote> 3) Display the fingerprint and bubblebabble with ssh-keygen: <blockquote> # ssh-keygen -B -v -l -f /tmp/garbage 2048 xecen-telud-badez-sozic-hopyd-cacov-tanig-dimov-monef-sytym-haxax /tmp/garbage.pub (RSA) +--[ RSA 2048]----+ | .+.. ....+ | |... = * =.= | |o E * B *.. | |. + = . =.o | | . . S. | | | | | | | | | +-----------------+ </blockquote> The problem is that bubblebabble uses the SHA1 digest to generate the fingerprint, while randomart usually uses the MD5 digest. ssh-keygen.c will generate randomart with the SHA1 digest if it is also producing bubblebabble output. This problem was found on openssh v5.2p1. It also appears to be in OpenBSD's ssh-keygen.c v1.173. Diff for fix attached.
Fix applied. This will be in openssh-5.4
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.
With the release of 5.4p1, this bug is now considered closed.