diff options
| -rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 3 | ||||
| -rw-r--r-- | ipalib/plugins/host.py | 6 | ||||
| -rw-r--r-- | ipapython/ssh.py | 15 |
3 files changed, 21 insertions, 3 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index aa8bc7934..024b94f46 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1325,6 +1325,9 @@ def update_ssh_keys(server, hostname, ssh_dir, create_sshfp): sshfp = pubkey.fingerprint_dns_sha1() if sshfp is not None: update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp) + sshfp = pubkey.fingerprint_dns_sha256() + if sshfp is not None: + update_txt += 'update add %s. %s IN SSHFP %s\n' % (hostname, ttl, sshfp) update_txt += 'send\n' if not do_nsupdate(update_txt): diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index e1c07b53b..f464127d9 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -139,6 +139,12 @@ def update_sshfp_record(zone, record, entry_attrs): continue if sshfp is not None: sshfps.append(sshfp) + try: + sshfp = SSHPublicKey(pubkey).fingerprint_dns_sha256() + except ValueError, UnicodeDecodeError: + continue + if sshfp is not None: + sshfps.append(sshfp) try: api.Command['dnsrecord_mod'](zone, record, sshfprecord=sshfps) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index 3294aa430..c95488928 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -26,6 +26,7 @@ import base64 import re import struct from hashlib import md5, sha1 +from hashlib import sha256 #pylint: disable=E0611 __all__ = ['SSHPublicKey'] @@ -187,12 +188,20 @@ class SSHPublicKey(object): fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)]) return fp - def fingerprint_dns_sha1(self): + def _fingerprint_dns(self, fpfunc, fptype): if self._keytype == 'ssh-rsa': keytype = 1 elif self._keytype == 'ssh-dss': keytype = 2 + elif self._keytype.startswith('ecdsa-sha2-') and '@' not in self._keytype: + keytype = 3 else: return - fp = sha1(self._key).hexdigest().upper() - return u'%d 1 %s' % (keytype, fp) + fp = fpfunc(self._key).hexdigest().upper() + return u'%d %d %s' % (keytype, fptype, fp) + + def fingerprint_dns_sha1(self): + return self._fingerprint_dns(sha1, 1) + + def fingerprint_dns_sha256(self): + return self._fingerprint_dns(sha256, 2) |