Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose server SSH keys fingerprint #36

Closed
brmzkw opened this issue May 6, 2015 · 3 comments
Closed

Expose server SSH keys fingerprint #36

brmzkw opened this issue May 6, 2015 · 3 comments
Assignees
@QuentinPerez
Labels
enhancement

Comments

@brmzkw
Copy link
Contributor

brmzkw commented May 6, 2015

As proposed on the community, it could be great to show the server's SSH keys fingerprints to the user.

We can proceed as following:

  • update the metadata API to accept and store extra arguments in the PATCH endpoint
  • from the server, create an initscript to make a PATCH request against the metadata API

To compute fingerprints:

# for key in /etc/ssh/ssh_host_*_key; do ssh-keygen -lf $key; done
1024 76:64:11:42:21:f2:5d:a3:a5:83:20:86:6b:75:68:a8  root@server (DSA)
256 78:58:f8:37:aa:55:e2:61:fc:8d:a3:52:f9:8b:5e:13  root@server (ECDSA)
256 18:98:9c:cb:34:18:b0:c4:70:8e:93:02:07:74:04:5a  root@server (ED25519)
2048 e9:89:ae:ff:df:4e:6b:24:63:11:7b:d3:73:03:81:18  root@server (RSA)
@moul moul self-assigned this May 6, 2015
@moul
Copy link
Contributor

moul commented May 6, 2015

Cool, waiting for the API

@moul moul assigned QuentinPerez and unassigned moul Aug 3, 2015
@brmzkw
Copy link
Contributor Author

brmzkw commented Sep 25, 2015

With user data, it is now possible to store the host keys from the server, without authentication.

C1# curl 169.254.42.42/user_data/ssh-host-fingerprints -H 'Content-Type: text/plain' --local-port 1-1024 -X PATCH --data-binary "`cat /etc/ssh/ssh_host_*pub`"
C1# curl 169.254.42.42/user_data/ssh-host-fingerprints --local-port 1-1024
ssh-dss AAAAB3NzaC1kc3MAAACBAI3zpPgV8vzQfiQ5adblUrlBAHFXO/8/0YAJK8PykmlFREfzEBSeDtcXgTgrh9yLJvrPsSLq+PKPY50EvPXLwrCSMietxG0LWg6k7NGK4tsIbtOnewiemGsBDKvVDAbcnDvVnUOb2/hoLCYDYRVyEFQ/vSC8QVMZOteWA1rJ4xCvAAAAFQCs9RZg1wRkDxUSz/otD+0ek0jzcQAAAIAtFjiY5tsv+4AJWaH4ITST/Us+XiL4r8wvhz++Rjo42dNx7dQf4ee6YuwOHe+2OJlc5Xk37KsTU4tuWWdJxj2H6QdlVZbliKnPCuDurBsTPbD2B/z8cO1Fcf+bC11jb90oJG1Xchg/iz18oo23u5K3A6NU6O9L4eqliacx09k1gQAAAIEAhya96ZogVkuifkIS2A16nBnQvYB4adQtxvCaedZ2CkfFsn2YKy1FrtddyWY5ZpPUAV+VFQiElILDiW9lN/MCURhWQUDCE9ClEqPHv3uiqGA5L4/BUNtTZPd0ahw5xynNJhlCk3oU9leRC8hKyP1DyuJGwuUP6LpPl4BKBWgWuUg= root@C1
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5O9cA8B4CI17ocDVr7ikv/VAJJVgamy9tD6M1wdUMdsR/LjqbAoiFfZXuTzcL8XczB4JYN1LyQr6gEeZN3oVU= root@C1
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVSTYSxzN+k7STELqBM4ASawoSG0nfOAe4KJlS01Hdw root@C1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSONVsuJTFLa01T67BgfCgOKcKjgxbTd/p60nWuy69VWcUcfeesQ6FD0bUwfqEEZnL0wpWbnbi1y6Vj6vRqRjGgyken+e0QItiSOU0+bNIYD0Ab7GGb1CG/8sHu1mAQgZB6523KixW4suBg6ZkEpTHNplGK2xlwVfyi0QiT0hVhDK9KMKILu18ZDs28F2zA7sUV/msIXmXXYYyRDJYTn4xlgqNx/5IPk043bK8dhTMZpg5ZL5cYm1eK4C2AvlvAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5O9cA8B4CI17ocDVr7ikv/VAJJVgamy9tD6M1wdUMdsR/LjqbAoiFfZXuTzcL8XczB4JYN1LyQr6gEeZN3oVU= root@C1
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVSTYSxzN+k7STELqBM4ASawoSG0nfOAe4KJlS01Hdw root@C1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSONVsuJTFLa01T67BgfCgOKcKjgxbTd/p60nWuy69VWcUcfeesQ6FD0bUwfqEEZnL0wpWbnbi1y6Vj6vRqRjGgyken+e0QItiSOU0+bNIYD0Ab7GGb1CG/8sHu1mAQgZB6523KixW4suBg6ZkEpTHNplGK2xlwVfyi0QiT0hVhDK9KMKILu18ZDs28F2zA7sUV/msIXmXXYYyRDJYTn4xlgqNx/5IPk043bK8dhTMZpg5ZL5cYm1eK4C2AvlvfeDSlNu461/5/C41DSZRWW4FDJ2/dmvDToMOdH4rsEAkTVo9ZohOi3K2C2bE2X8Dama1svlDkI7qP0aaRnKfkRq3 root@C1

I suggest to update /usr/local/sbin/oc-generate-ssh-keys to store the keys. Once done, we will be able to update the console to show the host keys to the user.

@moul
Copy link
Contributor

moul commented Sep 25, 2015

@brmzkw yes, perfect!

@QuentinPerez use this script as much as possible, so you can update it if needed: https://github.com/scaleway/image-tools/blob/master/skeleton-common/usr/local/sbin/oc-userdata

@moul moul mentioned this issue Sep 25, 2015
Closed
2 tasks
QuentinPerez pushed a commit to QuentinPerez/image-tools that referenced this issue Sep 28, 2015
Expose server SSH Keys fingerprint scaleway#36
da9a77c
QuentinPerez pushed a commit to QuentinPerez/image-tools that referenced this issue Sep 28, 2015
Expose server SSH Keys fingerprint scaleway#36
3cb2f4e
moul added a commit that referenced this issue Sep 28, 2015
@moul
Merge pull request #95 from QuentinPerez/expose_ssh_keys
fb0d8ee 
Expose server SSH Keys fingerprint #36
moul added a commit that referenced this issue Nov 3, 2015
@moul
Send ssh keys fingerprint to userdata, not full key
bcc8b84 
#36
@moul moul mentioned this issue Nov 3, 2015
Merged
moul added a commit that referenced this issue Nov 3, 2015
@moul
Add an openrc init script that calls oc-generate-ssh-keys
db3727e 
#36
@moul moul mentioned this issue Nov 3, 2015
Merged
@tamalsaha tamalsaha mentioned this issue Oct 29, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@QuentinPerez QuentinPerez

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moul @brmzkw @QuentinPerez