Working With SSH Fingerprints

What is SSHFP? Why do I care?

script

I found a script somebody else had already cobbled, and made some small changes to it. I gave it getopts, a test option, and some filtering of records I don’t want to see, such as SHA1. Script looks like this

 1#!/bin/sh
 2
 3set -e
 4PATH="/bin:/usr/bin:/usr/local/bin"
 5
 6while getopts "h:t" COMMAND_LINE_ARGUMENT ; do
 7	case "${COMMAND_LINE_ARGUMENT}" in
 8		h) host=${OPTARG}
 9			;;
10		t) test_mode="YES"
11			;;
12		\?) echo "-h <host> is required, -t is optional"
13			exit 1
14			;;
15	esac
16done
17
18cmd_pfx=""
19if [ "${test_mode}" = "YES" ]; then
20	echo "Test Mode"
21	cmd_pfx="echo Would issue"
22fi
23
24TMPFILE1="$(mktemp /var/tmp/sshfp_1.$$)"
25TMPFILE2="$(mktemp /var/tmp/sshfp_2.$$)"
26trap 'rm -f ${TMPFILE1}' INT TERM EXIT
27
28for proto in rsa dsa ecdsa ed25519; do
29	${cmd_pfx} ssh-keyscan -t $proto "$host" > ${TMPFILE1} 2>/dev/null
30	[[ ! -s "${TMPFILE1}" ]] && continue
31	${cmd_pfx} gsed -ri 's/^[^ ]+ //' ${TMPFILE1}
32	${cmd_pfx} ssh-keygen -r "$host" -f ${TMPFILE1} > ${TMPFILE2}
33	${cmd_pfx} mv ${TMPFILE2} ${TMPFILE1}
34	${cmd_pfx} gsed -rn '/SSHFP ([2]|[1-9] 2)/ s/^([^ ]+) IN SSHFP (.*)$/\t\tIN\tSSHFP\t\2/p' ${TMPFILE1} > ${TMPFILE2}
35	${cmd_pfx} mv ${TMPFILE2} ${TMPFILE1}
36	${cmd_pfx} egrep -v '1 1|2 1|3 1|4 1' ${TMPFILE1}
37done
38if [ -e ${TMPFILE} ] ; then
39	rm ${TMPFILE1}
40fi
41if [ -e ${TMPFILE2} ] ; then
42	rm ${TMPFILE2}
43fi
44# vim: set ts=4 sw=4 tw=80 noet :

What can I do with this script? If I feed it a host name, it will give me the SSHFP entries. Why do I want SSHFP entries? SSHFP entries can be put in DNS. When a user first makes an SSH connection to a host, SSH can be configured (’-o VerifyHostKeyDNS=yes’) to look for SSHFP records, and if found, and if they match with the host, don’t prompt the user if they want to connect, just do it.


Footnotes and References

Copyright

Comments