rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
017ff1
diff --git a/auth.c b/auth.c
017ff1
index 9a36f1d..420a85b 100644
017ff1
--- a/auth.c
017ff1
+++ b/auth.c
f09e2e
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
f09e2e
 	case 1:
f09e2e
  revoked:
f09e2e
 		/* Key revoked */
f09e2e
-		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
+		key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
f09e2e
 		error("WARNING: authentication attempt with a revoked "
f09e2e
-		    "%s key %s ", key_type(key), key_fp);
f09e2e
+		    "%s key %s%s ", key_type(key),
f09e2e
+		    key_fingerprint_prefix(), key_fp);
f09e2e
 		free(key_fp);
f09e2e
 		return 1;
f09e2e
 	}
017ff1
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
017ff1
index 488008f..eca0069 100644
017ff1
--- a/auth2-hostbased.c
017ff1
+++ b/auth2-hostbased.c
017ff1
@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
f09e2e
 
f09e2e
 	if (host_status == HOST_OK) {
f09e2e
 		if (key_is_cert(key)) {
f09e2e
-			fp = key_fingerprint(key->cert->signature_key,
f09e2e
-			    SSH_FP_MD5, SSH_FP_HEX);
f09e2e
+			fp = key_selected_fingerprint(key->cert->signature_key,
f09e2e
+			    SSH_FP_HEX);		
f09e2e
 			verbose("Accepted certificate ID \"%s\" signed by "
f09e2e
-			    "%s CA %s from %s@%s", key->cert->key_id,
f09e2e
-			    key_type(key->cert->signature_key), fp,
f09e2e
+			    "%s CA %s%s from %s@%s", key->cert->key_id,
f09e2e
+			    key_type(key->cert->signature_key),
f09e2e
+			    key_fingerprint_prefix(), fp,
f09e2e
 			    cuser, lookup);
f09e2e
 		} else {
f09e2e
-			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-			verbose("Accepted %s public key %s from %s@%s",
f09e2e
-			    key_type(key), fp, cuser, lookup);
f09e2e
+			fp = key_selected_fingerprint(key, SSH_FP_HEX);
f09e2e
+			verbose("Accepted %s public key %s%s from %s@%s",
f09e2e
+			    key_type(key), key_fingerprint_prefix(),
f09e2e
+			    fp, cuser, lookup);
f09e2e
 		}
f09e2e
 		free(fp);
f09e2e
 	}
017ff1
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
017ff1
index 0fd27bb..749b11a 100644
017ff1
--- a/auth2-pubkey.c
017ff1
+++ b/auth2-pubkey.c
017ff1
@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
f09e2e
 				continue;
f09e2e
 			if (!key_is_cert_authority)
f09e2e
 				continue;
f09e2e
-			fp = key_fingerprint(found, SSH_FP_MD5,
f09e2e
-			    SSH_FP_HEX);
f09e2e
-			debug("matching CA found: file %s, line %lu, %s %s",
f09e2e
-			    file, linenum, key_type(found), fp);
f09e2e
+			fp = key_selected_fingerprint(found, SSH_FP_HEX);
f09e2e
+			debug("matching CA found: file %s, line %lu, %s %s%s",
f09e2e
+			    file, linenum, key_type(found),
f09e2e
+			    key_fingerprint_prefix(), fp);
f09e2e
 			/*
f09e2e
 			 * If the user has specified a list of principals as
f09e2e
 			 * a key option, then prefer that list to matching
017ff1
@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
f09e2e
 			if (key_is_cert_authority)
f09e2e
 				continue;
f09e2e
 			found_key = 1;
f09e2e
-			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-			debug("matching key found: file %s, line %lu %s %s",
f09e2e
-			    file, linenum, key_type(found), fp);
f09e2e
+			fp = key_selected_fingerprint(found, SSH_FP_HEX);
f09e2e
+			verbose("Found matching %s key: %s%s",
f09e2e
+			    key_type(found), key_fingerprint_prefix(), fp);
f09e2e
 			free(fp);
f09e2e
 			break;
f09e2e
 		}
017ff1
@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
f09e2e
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
f09e2e
 		return 0;
f09e2e
 
f09e2e
-	ca_fp = key_fingerprint(key->cert->signature_key,
f09e2e
-	    SSH_FP_MD5, SSH_FP_HEX);
f09e2e
+	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
f09e2e
 
f09e2e
 	if (key_in_file(key->cert->signature_key,
f09e2e
 	    options.trusted_user_ca_keys, 1) != 1) {
f09e2e
-		debug2("%s: CA %s %s is not listed in %s", __func__,
f09e2e
-		    key_type(key->cert->signature_key), ca_fp,
f09e2e
+		debug2("%s: CA %s%s %s is not listed in %s", __func__,
f09e2e
+		    key_type(key->cert->signature_key),
f09e2e
+		    key_fingerprint_prefix(), ca_fp,
f09e2e
 		    options.trusted_user_ca_keys);
f09e2e
 		goto out;
f09e2e
 	}
017ff1
diff --git a/key.c b/key.c
017ff1
index 168e1b7..eb98ea8 100644
017ff1
--- a/key.c
017ff1
+++ b/key.c
017ff1
@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
f09e2e
 	return retval;
f09e2e
 }
f09e2e
 
f09e2e
+enum fp_type
f09e2e
+key_fingerprint_selection(void)
f09e2e
+{
f09e2e
+	static enum fp_type rv;
f09e2e
+	static char rv_defined = 0;
f09e2e
+	char *env;
f09e2e
+
f09e2e
+	if (!rv_defined) {
f09e2e
+		env = getenv("SSH_FINGERPRINT_TYPE");
f09e2e
+		rv = (env && !strcmp (env, "sha")) ?
f09e2e
+			SSH_FP_SHA1 : SSH_FP_MD5;
f09e2e
+		rv_defined = 1;
f09e2e
+	}
f09e2e
+	return rv;
f09e2e
+}
f09e2e
+
f09e2e
+char *
f09e2e
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
f09e2e
+{
f09e2e
+	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
f09e2e
+}
f09e2e
+
f09e2e
+char *
f09e2e
+key_fingerprint_prefix(void)
f09e2e
+{
f09e2e
+	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
f09e2e
+}
f09e2e
+
f09e2e
 /*
f09e2e
  * Reads a multiple-precision integer in decimal from the buffer, and advances
f09e2e
  * the pointer.  The integer must already be initialized.  This function is
017ff1
diff --git a/key.h b/key.h
017ff1
index d8ad13d..0e3eea5 100644
017ff1
--- a/key.h
017ff1
+++ b/key.h
017ff1
@@ -104,6 +104,9 @@ int		 key_equal_public(const Key *, const Key *);
f09e2e
 int		 key_equal(const Key *, const Key *);
f09e2e
 char		*key_fingerprint(const Key *, enum fp_type, enum fp_rep);
f09e2e
 u_char		*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
f09e2e
+enum fp_type	 key_fingerprint_selection(void);
f09e2e
+char		*key_selected_fingerprint(Key *, enum fp_rep);
f09e2e
+char		*key_fingerprint_prefix(void);
f09e2e
 const char	*key_type(const Key *);
f09e2e
 const char	*key_cert_type(const Key *);
f09e2e
 int		 key_write(const Key *, FILE *);
017ff1
diff --git a/ssh-add.c b/ssh-add.c
017ff1
index 3421452..691949f 100644
017ff1
--- a/ssh-add.c
017ff1
+++ b/ssh-add.c
017ff1
@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp)
f09e2e
 		    key = ssh_get_next_identity(ac, &comment, version)) {
f09e2e
 			had_identities = 1;
f09e2e
 			if (do_fp) {
f09e2e
-				fp = key_fingerprint(key, SSH_FP_MD5,
f09e2e
-				    SSH_FP_HEX);
f09e2e
-				printf("%d %s %s (%s)\n",
f09e2e
-				    key_size(key), fp, comment, key_type(key));
f09e2e
+				fp = key_selected_fingerprint(key, SSH_FP_HEX);
f09e2e
+				printf("%d %s%s %s (%s)\n",
f09e2e
+				    key_size(key), key_fingerprint_prefix(),
f09e2e
+				    fp, comment, key_type(key));
f09e2e
 				free(fp);
f09e2e
 			} else {
f09e2e
 				if (!key_write(key, stdout))
017ff1
diff --git a/ssh-agent.c b/ssh-agent.c
017ff1
index ba24612..117fdde 100644
017ff1
--- a/ssh-agent.c
017ff1
+++ b/ssh-agent.c
f09e2e
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
f09e2e
 	char *p;
f09e2e
 	int ret = -1;
f09e2e
 
f09e2e
-	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
f09e2e
-	    id->comment, p))
f09e2e
+	p = key_selected_fingerprint(id->key, SSH_FP_HEX);
f09e2e
+	if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
f09e2e
+	    id->comment, key_fingerprint_prefix(), p))
f09e2e
 		ret = 0;
f09e2e
 	free(p);
f09e2e
 
017ff1
diff --git a/ssh-keygen.c b/ssh-keygen.c
017ff1
index 2a316bc..482dc1c 100644
017ff1
--- a/ssh-keygen.c
017ff1
+++ b/ssh-keygen.c
017ff1
@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw)
f09e2e
 {
f09e2e
 	FILE *f;
f09e2e
 	Key *public;
f09e2e
-	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
f09e2e
+	char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
f09e2e
 	int i, skip = 0, num = 0, invalid = 1;
f09e2e
 	enum fp_rep rep;
f09e2e
 	enum fp_type fptype;
f09e2e
 	struct stat st;
f09e2e
 
f09e2e
-	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
f09e2e
+	fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
f09e2e
+	pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
f09e2e
 	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
f09e2e
 
f09e2e
 	if (!have_identity)
017ff1
@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw)
f09e2e
 	public = key_load_public(identity_file, &comment);
f09e2e
 	if (public != NULL) {
f09e2e
 		fp = key_fingerprint(public, fptype, rep);
f09e2e
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
f09e2e
-		printf("%u %s %s (%s)\n", key_size(public), fp, comment,
f09e2e
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
f09e2e
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
f09e2e
 		    key_type(public));
f09e2e
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
f09e2e
 			printf("%s\n", ra);
017ff1
@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw)
f09e2e
 		}
f09e2e
 		comment = *cp ? cp : comment;
f09e2e
 		fp = key_fingerprint(public, fptype, rep);
f09e2e
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
f09e2e
-		printf("%u %s %s (%s)\n", key_size(public), fp,
f09e2e
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
f09e2e
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
f09e2e
 		    comment ? comment : "no comment", key_type(public));
f09e2e
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
f09e2e
 			printf("%s\n", ra);
017ff1
@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
f09e2e
 	if (print_fingerprint) {
f09e2e
 		enum fp_rep rep;
f09e2e
 		enum fp_type fptype;
f09e2e
-		char *fp, *ra;
f09e2e
+		char *fp, *ra, *pfx;
f09e2e
 
f09e2e
-		fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
f09e2e
+		fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
f09e2e
+		pfx =	 print_bubblebabble ? "" : key_fingerprint_prefix();
f09e2e
 		rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
f09e2e
+
f09e2e
 		fp = key_fingerprint(public, fptype, rep);
f09e2e
-		ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
f09e2e
-		printf("%u %s %s (%s)\n", key_size(public), fp, name,
f09e2e
+		ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
f09e2e
+		printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
f09e2e
 		    key_type(public));
f09e2e
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
f09e2e
 			printf("%s\n", ra);
017ff1
@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw)
f09e2e
 		fatal("%s is not a certificate", identity_file);
f09e2e
 	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
f09e2e
 
f09e2e
-	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-	ca_fp = key_fingerprint(key->cert->signature_key,
f09e2e
-	    SSH_FP_MD5, SSH_FP_HEX);
f09e2e
+	key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
f09e2e
+	ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
f09e2e
 
f09e2e
 	printf("%s:\n", identity_file);
f09e2e
 	printf("        Type: %s %s certificate\n", key_ssh_name(key),
f09e2e
 	    key_cert_type(key));
f09e2e
-	printf("        Public key: %s %s\n", key_type(key), key_fp);
f09e2e
-	printf("        Signing CA: %s %s\n",
f09e2e
-	    key_type(key->cert->signature_key), ca_fp);
f09e2e
+	printf("        Public key: %s %s%s\n", key_type(key),
f09e2e
+	    key_fingerprint_prefix(), key_fp);
f09e2e
+	printf("        Signing CA: %s %s%s\n",
f09e2e
+	    key_type(key->cert->signature_key),
f09e2e
+	    key_fingerprint_prefix(), ca_fp);
f09e2e
 	printf("        Key ID: \"%s\"\n", key->cert->key_id);
f09e2e
 	if (!v00) {
f09e2e
 		printf("        Serial: %llu\n",
017ff1
@@ -2686,13 +2690,12 @@ passphrase_again:
f09e2e
 	fclose(f);
f09e2e
 
f09e2e
 	if (!quiet) {
f09e2e
-		char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-		char *ra = key_fingerprint(public, SSH_FP_MD5,
f09e2e
-		    SSH_FP_RANDOMART);
f09e2e
+		char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
f09e2e
+		char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
f09e2e
 		printf("Your public key has been saved in %s.\n",
f09e2e
 		    identity_file);
f09e2e
 		printf("The key fingerprint is:\n");
f09e2e
-		printf("%s %s\n", fp, comment);
f09e2e
+		printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
f09e2e
 		printf("The key's randomart image is:\n");
f09e2e
 		printf("%s\n", ra);
f09e2e
 		free(ra);
017ff1
diff --git a/sshconnect.c b/sshconnect.c
017ff1
index 573d7a8..394cca8 100644
017ff1
--- a/sshconnect.c
017ff1
+++ b/sshconnect.c
017ff1
@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
f09e2e
 				    "key for IP address '%.128s' to the list "
f09e2e
 				    "of known hosts.", type, ip);
f09e2e
 		} else if (options.visual_host_key) {
f09e2e
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
f09e2e
-			    SSH_FP_RANDOMART);
f09e2e
-			logit("Host key fingerprint is %s\n%s\n", fp, ra);
f09e2e
+			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
f09e2e
+			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
f09e2e
+			logit("Host key fingerprint is %s%s\n%s\n",
f09e2e
+			    key_fingerprint_prefix(), fp, ra);
f09e2e
 			free(ra);
f09e2e
 			free(fp);
f09e2e
 		}
017ff1
@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
f09e2e
 			else
f09e2e
 				snprintf(msg1, sizeof(msg1), ".");
f09e2e
 			/* The default */
f09e2e
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-			ra = key_fingerprint(host_key, SSH_FP_MD5,
f09e2e
-			    SSH_FP_RANDOMART);
f09e2e
+			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
f09e2e
+			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
f09e2e
 			msg2[0] = '\0';
f09e2e
 			if (options.verify_host_key_dns) {
f09e2e
 				if (matching_host_key_dns)
017ff1
@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
f09e2e
 			snprintf(msg, sizeof(msg),
f09e2e
 			    "The authenticity of host '%.200s (%s)' can't be "
f09e2e
 			    "established%s\n"
f09e2e
-			    "%s key fingerprint is %s.%s%s\n%s"
f09e2e
+			    "%s key fingerprint is %s%s.%s%s\n%s"
f09e2e
 			    "Are you sure you want to continue connecting "
f09e2e
 			    "(yes/no)? ",
f09e2e
-			    host, ip, msg1, type, fp,
f09e2e
+			    host, ip, msg1, type,
f09e2e
+			    key_fingerprint_prefix(), fp,
f09e2e
 			    options.visual_host_key ? "\n" : "",
f09e2e
 			    options.visual_host_key ? ra : "",
f09e2e
 			    msg2);
017ff1
@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
f09e2e
 	int flags = 0;
f09e2e
 	char *fp;
f09e2e
 
f09e2e
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-	debug("Server host key: %s %s", key_type(host_key), fp);
f09e2e
+	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
f09e2e
+	debug("Server host key: %s %s%s", key_type(host_key),
f09e2e
+	    key_fingerprint_prefix(), fp);
f09e2e
 	free(fp);
f09e2e
 
f09e2e
 	/* XXX certs are not yet supported for DNS */
017ff1
@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
f09e2e
 			continue;
f09e2e
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
f09e2e
 			continue;
f09e2e
-		fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-		ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
f09e2e
+		fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
f09e2e
+		ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
f09e2e
 		logit("WARNING: %s key found for host %s\n"
f09e2e
 		    "in %s:%lu\n"
f09e2e
-		    "%s key fingerprint %s.",
f09e2e
+		    "%s key fingerprint %s%s.",
f09e2e
 		    key_type(found->key),
f09e2e
 		    found->host, found->file, found->line,
f09e2e
-		    key_type(found->key), fp);
f09e2e
+		    key_type(found->key),
f09e2e
+		    key_fingerprint_prefix(), fp);
f09e2e
 		if (options.visual_host_key)
f09e2e
 			logit("%s", ra);
f09e2e
 		free(ra);
017ff1
@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key)
f09e2e
 {
f09e2e
 	char *fp;
f09e2e
 
f09e2e
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
+	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
f09e2e
 
f09e2e
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
f09e2e
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
017ff1
@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key)
f09e2e
 	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
f09e2e
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
f09e2e
 	error("It is also possible that a host key has just been changed.");
f09e2e
-	error("The fingerprint for the %s key sent by the remote host is\n%s.",
f09e2e
-	    key_type(host_key), fp);
f09e2e
+	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
f09e2e
+	    key_type(host_key),key_fingerprint_prefix(),  fp);
f09e2e
 	error("Please contact your system administrator.");
f09e2e
 
f09e2e
 	free(fp);
017ff1
diff --git a/sshconnect2.c b/sshconnect2.c
017ff1
index 7f4ff41..adbbfc7 100644
017ff1
--- a/sshconnect2.c
017ff1
+++ b/sshconnect2.c
017ff1
@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
f09e2e
 		    key->type, pktype);
f09e2e
 		goto done;
f09e2e
 	}
f09e2e
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-	debug2("input_userauth_pk_ok: fp %s", fp);
f09e2e
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
f09e2e
+	debug2("input_userauth_pk_ok: fp %s%s",
f09e2e
+	    key_fingerprint_prefix(), fp);
f09e2e
 	free(fp);
f09e2e
 
f09e2e
 	/*
017ff1
@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
f09e2e
 	int have_sig = 1;
f09e2e
 	char *fp;
f09e2e
 
f09e2e
-	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
f09e2e
-	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
f09e2e
+	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
f09e2e
+	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
f09e2e
+	    key_fingerprint_prefix(), fp);
f09e2e
 	free(fp);
f09e2e
 
f09e2e
 	if (key_to_blob(id->key, &blob, &bloblen) == 0) {