Follow

Info: MD5 to SHA-256 Host Key Conversion

Applies To:

Upgrades to to Trust Protection Platform (TPP) 17.1 or higher from TPP 16.4 or lower

Summary:

As part of the SSH-based agentless connections that enable certificate provisioning/validation and SSH key discovery/management, TPP provides the ability to manage and configure trust of SSH host keys. Beginning in 17.1, trusted SSH host keys are stored using SHA-256 instead of MD5. Following an upgrade to 17.1 or later, this change may impact host key trust during the first connection on each device object where you are enforcing host key trust.

More Details:

When making an SSH agentless connection to a host TPP hashes and stores the public (host) key it receives from the host. Prior to 17.1, an MD5 hash was used. Beginning in 17.1, SHA-256 is used to hash host keys instead of MD5. In addition, beginning in 17.1, TPP default algorithm switched from DSA (ssh-dss) to RSA (ssh-rsa) for SSH agentless connections. TPP has support for the following algorithms:

  • ssh-rsa
  • ssh-dss (if enabled)
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521

The following is a description of the operations TPP will perform to facilitate the transition from MD5 to SHA-256 and from RSA to DSA in several different scenarios:

  1. “Enforce Host Key” set to Yes on Device Object – DSA host key stored in MD5 format
    1. TPP requests an SSH connection with the RSA algorithm
    2. Host returns an RSA public (host) key
    3. TPP creates a SHA-256 hash of the host key and replaces the MD5 hash of the previous DSA host key
    4. TPP generates the following log event: 4006001F - SSH Public Key Fingerprint Replaced.
  2. “Enforce Host Key” set to Yes on Device Object – Same RSA host key stored in MD5 format
    1. TPP requests an SSH connection with the RSA algorithm
    2. Host returns the same RSA public (host) key as the one stored in MD5 format
    3. TPP creates an MD5 hash of the returned RSA host key and confirm that it matches the MD5 has of the stored RSA host key
    4. TPP creates a SHA-256 hash of the host key and replaces the MD5 hash of the previous DSA host key
    5. TPP generates the following log event: 40060020 - SSH Public Key Fingerprint Changed.
  3. “Enforce Host Key” set to Yes on Device Object – Different RSA host key stored in MD5 format
    1. TPP requests an SSH connection with the RSA algorithm
    2. Host returns a different RSA public (host) key than the one stored in MD5 format
    3. TPP creates an MD5 hash of the returned RSA host key and determines that it does not match the MD5 has of the stored RSA host key
    4. TPP aborts the agentless SSH connection
    5. TPP generates the following log event: 40060004 - SSH Connect To Host Failed.
  4. “Enforce Host Key” set to No on Device Object – DSA or RSA host key stored in MD5 format
    1. TPP requests an SSH connection with the RSA algorithm
    2. Host returns an RSA public (host) key
    3. TPP creates a SHA-256 hash of the host key and replaces the MD5 hash of the previous DSA or RSA host key
    4. TPP generates the following log event: 40060020 - SSH Public Key Fingerprint Changed.

The operations above are performed in order to ensure a seamless transition to SHA-256 for store host keys. If you wish to verify that the correct host key was trusted in scenario 1, set a notification rule to send an alert when “4006001F - SSH Public Key Fingerprint Replaced” are received so that you can review each host key that is trusted.

 

Was this article helpful?
0 out of 0 found this helpful

Comments