diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2013-01-08 16:13:07 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2013-02-01 09:16:09 -0500 |
| commit | 86dde3a38e801bb88a7d573a2a37ce7201e29e0f (patch) | |
| tree | 0dc55fbc3f2d8076836302833900b5d58573ada7 | |
| parent | c1735e1c80c9ec515f4a30cd212b7e331d7e2a83 (diff) | |
| download | freeipa.git-86dde3a38e801bb88a7d573a2a37ce7201e29e0f.tar.gz freeipa.git-86dde3a38e801bb88a7d573a2a37ce7201e29e0f.tar.xz freeipa.git-86dde3a38e801bb88a7d573a2a37ce7201e29e0f.zip | |
Add support for RFC 6594 SSHFP DNS records.
https://fedorahosted.org/freeipa/ticket/2642
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 3 | ||||
| -rw-r--r-- | ipalib/plugins/host.py | 6 | ||||
| -rw-r--r-- | ipapython/ssh.py | 15 |
3 files changed, 21 insertions, 3 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index aa8bc793..024b94f4 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1325,6 +1325,9 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): sshfp = pubkey.fingerprint_dns_sha1() if sshfp is not None: update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp) + sshfp = pubkey.fingerprint_dns_sha256() + if sshfp is not None: + update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp) update_txt += 'send\n' if not do_nsupdate(update_txt): diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index e1c07b53..f464127d 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -139,6 +139,12 @@ def update_sshfp_record(zone, record, entry_attrs): continue if sshfp is not None: sshfps.append(sshfp) + try: + sshfp = SSHPublicKey(pubkey).fingerprint_dns_sha256() + except ValueError, UnicodeDecodeError: + continue + if sshfp is not None: + sshfps.append(sshfp) try: api.Command['dnsrecord_mod'](zone, record, sshfprecord=sshfps) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index 3294aa43..c9548892 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -26,6 +26,7 @@ import base64 import re import struct from hashlib import md5, sha1 +from hashlib import sha256 #pylint: disable=E0611 __all__ = ['SSHPublicKey'] @@ -187,12 +188,20 @@ class SSHPublicKey(object): fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)]) return fp - def fingerprint_dns_sha1(self): + def _fingerprint_dns(self, fpfunc, fptype): if self._keytype == 'ssh-rsa': keytype = 1 elif self._keytype == 'ssh-dss': keytype = 2 + elif self._keytype.startswith('ecdsa-sha2-') and '@' not in self._keytype: + keytype = 3 else: return - fp = sha1(self._key).hexdigest().upper() - return u'%d 1 %s' % (keytype, fp) + fp = fpfunc(self._key).hexdigest().upper() + return u'%d %d %s' % (keytype, fptype, fp) + + def fingerprint_dns_sha1(self): + return self._fingerprint_dns(sha1, 1) + + def fingerprint_dns_sha256(self): + return self._fingerprint_dns(sha256, 2) |