From: Dimitri John Ledkov Subject: Re: [PATCH] Upgrade ssh_connection_hash from hex SHA1 to base64url SHA256 To: tech@openbsd.org Date: Thu, 25 Sep 2025 16:56:48 +0100 On Mon, 8 Sept 2025 at 10:24, Dimitri John Ledkov wrote: > > Upgrade ssh_connection_hash from SHA1 to SHA256. Due to increased > length, instead of using hex encoding, use base64url encoding, which > for SHA256 is only slightly longer than hex SHA1. Rename related > variables for clarity. > > This change enables building and using ssh completely without SHA1. > --- > regress/usr.bin/ssh/percent.sh | 3 ++- > usr.bin/ssh/readconf.c | 23 ++++++++++++++++------- > usr.bin/ssh/ssh.c | 4 ++-- > usr.bin/ssh/sshconnect.h | 4 ++-- > 4 files changed, 22 insertions(+), 12 deletions(-) > Are there any other questions, reviews or concerns to land this change? This change passed all Github based CI at https://github.com/openssh/openssh-portable/pull/595 but can rebase/rerun again. Separately, should I provide another alternative implementation that keeps using HEX encoding but with a truncated SHA-256/160? This way the appearance of the session will retain the same character set and length as today, but without using SHA-1. This would be similar to what is being used for TLS certificates public key info hash identifier, for which it was also determined that SHA256 output is too long. -- Regards, Dimitri.