Add support for SSH public keys to user and host objects.

This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754

1 files changed, 21 insertions, 0 deletions

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index fc0010d6e..d9b0455e5 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -36,6 +36,7 @@ import shutil
 import urllib2
 import socket
 import ldap
+import struct
 
 from ipapython import ipavalidate
 from types import *
@@ -58,6 +59,7 @@ except ImportError:
             self.cmd = cmd
         def __str__(self):
             return "Command '%s' returned non-zero exit status %d" % (self.cmd, self.returncode)
+from ipapython.compat import sha1, md5
 
 def get_domain_name():
     try:
@@ -1395,3 +1397,22 @@ def backup_config_and_replace_variables(fstore, filepath, replacevars=dict(), ap
     old_values = config_replace_variables(filepath, replacevars, appendvars)
 
     return old_values
+
+def decode_ssh_pubkey(data, fptype=md5):
+    try:
+        (algolen,) = struct.unpack('>I', data[:4])
+        if algolen > 0 and algolen <= len(data) - 4:
+            return (data[4:algolen+4], data[algolen+4:], fptype(data).hexdigest().upper())
+    except struct.error:
+        pass
+    raise ValueError('not a SSH public key')
+
+def make_sshfp(key):
+    algo, data, fp = decode_ssh_pubkey(key, fptype=sha1)
+    if algo == 'ssh-rsa':
+        algo = 1
+    elif algo == 'ssh-dss':
+        algo = 2
+    else:
+        return
+    return '%d 1 %s' % (algo, fp)