diff options
| author | Stanislav Laznicka <slaznick@redhat.com> | 2016-12-12 16:59:48 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2017-01-12 11:09:46 +0100 |
| commit | 721105c53de6fbc0abc7799ec7f48920e02089bd (patch) | |
| tree | 6d1f615ea5d5bc1425a6c944427941d6af5179c0 | |
| parent | 566c86a782bfd7d50938866e9f89faf56cea773f (diff) | |
| download | freeipa-721105c53de6fbc0abc7799ec7f48920e02089bd.tar.gz freeipa-721105c53de6fbc0abc7799ec7f48920e02089bd.tar.xz freeipa-721105c53de6fbc0abc7799ec7f48920e02089bd.zip | |
Generate sha256 ssh pubkey fingerprints for hosts
Replace md5 with sha256 for host ssh pubkey fingerprints
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
| -rw-r--r-- | ipalib/util.py | 2 | ||||
| -rw-r--r-- | ipapython/ssh.py | 13 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_host_plugin.py | 2 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_idviews_plugin.py | 2 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_stageuser_plugin.py | 2 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_user_plugin.py | 2 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 2 |
7 files changed, 13 insertions, 12 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index 1c00cd748..81c0e9e5e 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -301,7 +301,7 @@ def convert_sshpubkey_post(entry_attrs): except (ValueError, UnicodeDecodeError): continue - fp = pubkey.fingerprint_hex_md5() + fp = pubkey.fingerprint_hex_sha256() comment = pubkey.comment() if comment: fp = u'%s %s' % (fp, comment) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index c76cf51e4..57752aedc 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -25,8 +25,8 @@ SSH utilities. import base64 import re import struct -from hashlib import md5, sha1 -from hashlib import sha256 #pylint: disable=E0611 +from hashlib import sha1 +from hashlib import sha256 # pylint: disable=E0611 import six @@ -190,10 +190,11 @@ class SSHPublicKey(object): return out - def fingerprint_hex_md5(self): - fp = md5(self._key).hexdigest().upper() - fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)]) - return fp + def fingerprint_hex_sha256(self): + # OpenSSH trims the trailing '=' of base64 sha256 FP representation + # Using unicode argument converts the result to unicode object + fp = base64.b64encode(sha256(self._key).digest()).rstrip(u'=') + return 'SHA256:{fp}'.format(fp=fp) def _fingerprint_dns(self, fpfunc, fptype): if self._keytype == 'ssh-rsa': diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index b36c6b812..d4384e1d7 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -84,7 +84,7 @@ ipv6_fromip_ptr_dnsname = DNSName(ipv6_fromip_ptr) ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn) sshpubkey = u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test' -sshpubkeyfp = u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)' +sshpubkeyfp = u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)' user1 = u'tuser1' user2 = u'tuser2' diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index b1bb5ab39..35d31b37d 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -66,7 +66,7 @@ sshpubkey = (u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6X' 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e836..e61bf7a9d 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -40,7 +40,7 @@ sshpubkey = (u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6X' 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') options_def = OrderedDict([ diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578c2..c09d793b5 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -55,7 +55,7 @@ sshpubkey = (u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6X' 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') validlanguages = { diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e062b..4f87163ce 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -24,7 +24,7 @@ sshpubkey = (u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6X' 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'SHA256:cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') |