Light

northox / 2sshfp Goto Github PK

View Code? Open in Web Editor NEW

40.0 2.0 4.0 30 KB

Build SSHFP DNS records - xmss, ecdsa & ed25519 support

Shell 100.00%

dns sshfp-records

2sshfp's Introduction

2sshfp

Very basic shell script to create SSHFP DNS records.

Description

I wrote this very basic script to create SSHFP DNS records when I realized sshfp tool didn't support ECDSA (i.e. ecdsa-sha2-nistp256) and my patch would take years before getting in to production.

It creates SSHFP record out of /etc/ssh/ssh_host_*_key.pub keys.

Features

Supports rsa, dsa, ecdsa, ed25519 and xmss ciphers and sha1/sha256 hash algorithms.
Tested on OpenBSD, FreeBSD and Linux

Requirements

openssl, sed, tr and awk commands - basic stuff

SSHFP records?

SSHFP are basically host ssh key fingerprints stored in DNS records. If you can trust DNS query (i.e. DNSSEC) you can validate SSH's host fingerprint automatically.

Here's one: soundwave.mantor.org. IN SSHFP 1 1 F48459337A91E833FA259C8F95D751D22D8541C2

The first number refers to the cipher of the key (1=rsa, 2=dsa, 3=ecdsa, 4=ed25519, 5=xmss), the second number is the hash algorithm (1=sha1, 2=sha256) used and the last long string is the hash of the key itself.

What is it used for?

Merge the resulting DNS records in your zone and use them:

configure SSH client to verify SSHFP records via VerifyHostKeyDNS yes;
make sure you're using DNSSEC ;)

Usage

> ./2sshfp vortex
vortex IN SSHFP 1 1 BBE600FEB1200CB02D5A2912DB37648F65B4A2FE
vortex IN SSHFP 1 2 64C62A33E3FDD2EB94A40B376C2AD4691BB215403217C5D2A92B166581880377
vortex IN SSHFP 2 1 9DDCD0CDE23225BC7EB0051D4FB3928BB17AE4BE
vortex IN SSHFP 2 2 2A58473A4AEC6E1943F8A0E0FDA05269B7CC77347621BBBAA813E2D00D287624
vortex IN SSHFP 3 1 3635F4E90C969C01E5DEA94F26F8268DDC334E25
vortex IN SSHFP 3 2 D109F93C739BC6401D74412F0A638877F1B5B7C1B94602BA20E6EB264EEB8754
vortex IN SSHFP 4 1 C01A3E12F70139C56EACC2DE93B0E5C7CC8D6BB4
vortex IN SSHFP 4 2 197D56859D92B89003456E30782AE449EE8A136766831C482C81344ADFCD5E4E

license

Public domain - A gift to the Internet

2sshfp's People

Contributors

Stargazers

Watchers

Forkers

kura dschaper mikalv gitalot

2sshfp's Issues

Still does not supports sha2.

Should be able to pass an option to use sha2 instead of sha1.

> ./ssh-keyscan2sshfp -sha1 bombshock.mantor.org shockwave.mantor.org
bombshock.mantor.org. IN SSHFP 2 1 D99CC6D7108DFE3E97E8AA9ED33FC9B3799E4ADB

> ./ssh-keyscan2sshfp -sha2 bombshock.mantor.org shockwave.mantor.org
bombshock.mantor.org. IN SSHFP 2 2 D99CC6D7108DFE3E97E8AA9ED33FC9B3799E4ADB

Support ed25519 whenever possible - RFC DRAFT

Follow

https://bugzilla.mindrot.org/show_bug.cgi?id=2197

http://tools.ietf.org/html/draft-moonesamy-sshfp-ed25519-01

echo -> printf lost newline

The recent commit to change echo to printf, 6f58718, appears to have had the unintended consequence of losing newlines. echo adding them by default, printf not so.

Simply adding a newline fixes this.

--- bin/2sshfp.orig     2017-05-12 17:55:17.504030010 +0800
+++ bin/2sshfp  2017-05-12 17:55:49.780881219 +0800
@@ -1,7 +1,7 @@
 #!/bin/sh
 # A secure way to create SSHFP records (local) | Danny Fullerton - mantor.org | license: public domain
 if [ $# -ne 1 ] || [ "$1" = "-h" ]; then
-  printf "Usage:\t$0 <hostname>\n\t$0 galvatron.mantor.org." >&2
+  printf "Usage:\t$0 <hostname>\n\t$0 galvatron.mantor.org.\n" >&2
   exit 1
 fi
 name=$1
@@ -13,7 +13,7 @@
     if [ -f $key_path ]; then
       eval "h=\${hash${j}}"
       sshfp=`awk '{print $2}' $key_path | openssl base64 -d -A | openssl dgst -${h} | sed 's/^.* //' | awk '{print $1}' | tr '[a-z]' '[A-Z]'`
-      printf "${name} IN SSHFP ${i} ${j} ${sshfp}"
+      printf "${name} IN SSHFP ${i} ${j} ${sshfp}\n"
     fi
   done
 done

`openssl dgst` doesn't support -r

The openssl versions on my Linux and MacOSX machines don't provide a -r flag, and instead just read from stdin by default if there isn't a file given in the command.

Roundcube yubico security key plugin

Hi Danny,

Firstly, sorry to put yubico issue in wrong repository. i am newbie to github and was not able to put issue in archived repository. i have installed roundcube yubikey plugin in my roundcube 1.3.1. It is showing require otp option. I have procured 'Security Key u2f' from yubico. But it is not showing any effect on plugin to usb and placing curson in yubikey id. I have checked with demo page on yubico, where my keys(two of them) are working fine as they have got registered and authenticated. Kindly guide in getting two factor authentication activated in my setup.

Thank again

Mitz

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.