Ping,

Any changes required to land this?

The original patch still applies cleanly to the latest code.

On Thu, 25 Sept 2025 at 16:56, Dimitri John Ledkov
<dimitri.ledkov@surgut.co.uk> wrote:
>
> On Mon, 8 Sept 2025 at 10:24, Dimitri John Ledkov
> <dimitri.ledkov@surgut.co.uk> wrote:
> >
> > Upgrade ssh_connection_hash from SHA1 to SHA256. Due to increased
> > length, instead of using hex encoding, use base64url encoding, which
> > for SHA256 is only slightly longer than hex SHA1. Rename related
> > variables for clarity.
> >
> > This change enables building and using ssh completely without SHA1.
> > ---
> >  regress/usr.bin/ssh/percent.sh |  3 ++-
> >  usr.bin/ssh/readconf.c         | 23 ++++++++++++++++-------
> >  usr.bin/ssh/ssh.c              |  4 ++--
> >  usr.bin/ssh/sshconnect.h       |  4 ++--
> >  4 files changed, 22 insertions(+), 12 deletions(-)
> >
>
> Are there any other questions, reviews or concerns to land this change?
>
> This change passed all Github based CI at
> https://github.com/openssh/openssh-portable/pull/595 but can
> rebase/rerun again.
>
> Separately, should I provide another alternative implementation that
> keeps using HEX encoding but with a truncated SHA-256/160? This way
> the appearance of the session will retain the same character set and
> length as today, but without using SHA-1. This would be similar to
> what is being used for TLS certificates public key info hash
> identifier, for which it was also determined that SHA256 output is too
> long.
>
> --
> Regards,
>
> Dimitri.



-- 
Regards,

Dimitri.