Mailing List Archive

From:: "Job Snijders" <job@openbsd.org>
Subject:: Re: [PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
To:: "Damien Miller" <djm@mindrot.org>, "Dimitri John Ledkov" <dimitri.ledkov@surgut.co.uk>
Cc:: <tech@openbsd.org>
Date:: Tue, 02 Sep 2025 09:24:51 +0000

Download raw body.

Thread

2025-09-02 00:14 kc-openbsd@chadwicks.me.uk:
[PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
- 2025-09-02 09:00 Damien Miller:
  [PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
2025-09-02 09:24 Job Snijders:
[PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
- 2025-09-02 22:13 Damien Miller:
  [PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256

On Mon Sep 1, 2025 at 11:50 PM UTC, Damien Miller wrote:
> I don't mind switching the algorithm, but the whole purpose of the
> connection hash in this context is to provide an identifier that takes
> in the unique descriptors of the connection that is short enough to
> avoid exceeding the relatively-modest sockaddr_un path limit.
>
> IMO, at 64 characters, a hex-encoded SHA256 hash is too long for this.
> It should be truncated and/or a modified b64 encoding use. Modified
> because base64 usually uses /, which isn't acceptable for something
> intended as a filesystem path (+ isn't great either).

I recommend using 'base64url' encoding (RFC 4648, section 5) without padding.
https://datatracker.ietf.org/doc/html/rfc4648#section-5

Kind regards,

Job

2025-09-02 00:14 kc-openbsd@chadwicks.me.uk:
[PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
- 2025-09-02 09:00 Damien Miller:
  [PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
2025-09-02 09:24 Job Snijders:
[PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256
- 2025-09-02 22:13 Damien Miller:
  [PATCH] Upgrade ssh_connection_hash from SHA1 to SHA256