Document labs SSH Fingerprints in sha256 format
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Platonides
	Sep 17 2015, 10:39 PM

Description

The subpages of https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints list the server fingerprints using md5 hash. The sha256 hashes (used by default in recent openssh versions) should be also included.

For instance, the fingerprints for bastion.wmflabs.org are:

ssh_host_dsa_key.pub
1024 MD5:25:aa:15:a6:9b:17:b7:b5:08:87:27:10:f7:b8:dd:52 root@bastion-01 (DSA)
1024 SHA256:GDabrrv0tiP0GDeijmU/wV+/ctIPMeFboSgQwySpQ9w root@bastion-01 (DSA)
ssh_host_ecdsa_key.pub
256 MD5:22:3e:0a:08:8a:30:30:3e:d1:45:94:d9:17:bb:19:70 root@bastion-01 (ECDSA)
256 SHA256:s+xuLo91PcVIFcFdxPQC7IXgJ2nYxaXcqa7bKE7/ufA root@bastion-01 (ECDSA)
ssh_host_ed25519_key.pub
256 MD5:5c:4d:7d:d0:85:7b:28:2d:95:a7:8a:33:e8:c4:a7:19 root@bastion-01 (ED25519)
256 SHA256:IpbbkMII0QK+vUiai6dvQWh5U2+IwH0+xXq2VS9b41E root@bastion-01 (ED25519)
ssh_host_rsa_key.pub
2048 MD5:20:1d:1a:b5:49:4e:4e:d4:dd:b1:06:4e:de:f4:da:44 root@bastion-01 (RSA)
2048 SHA256:fz9h4yOn113giipgabMz6SXK4mD0kCAXGUAC8ibbhlg root@bastion-01 (RSA)

that should be saved in https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bastion.wmflabs.org

A wikitech sysop needs to gather the sha256 hashes and fill those pages.

Related Objects

Mentioned Here: T111867: Provide Gerrit's SHA256 fingerprint (instead/in addition to MD5)

Event Timeline

Platonides created this task.Sep 17 2015, 10:39 PM

Platonides raised the priority of this task from to Medium.

Platonides updated the task description. (Show Details)

Platonides added a project: Cloud-Services.

Platonides subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 17 2015, 10:39 PM

Someone else noticed this issue (I think it might've been @Jdforrester-WMF?)
If I can figure out how to generate these myself I'll add them in.

See also T111867

I made a VM with OpenSSH v6.9p1. How's this format, @Platonides/@hashar/@He7d3r?

alex@ubuntu-15-10-wily-b2:~$ ./server-fingerprints.py bast1001.wikimedia.org
;RSA:
* <code>MD5:ee:35:bf:6d:89:e0:9d:86:8b:6d:d1:9c:f0:a2:56:a6</code>
* <code>SHA256:X35PeU2VcX503ti6wclzwU02JhMpp0IXmpieWI4MKYA</code>

;ED25519:
* <code>MD5:47:98:2c:0a:4b:71:a2:c5:86:fb:5c:af:a2:9d:4f:2a</code>
* <code>SHA256:+oFZVVHEkYSwkkvv/6COp+kl/GZk+pF66nz0K/fkWME</code>

;ECDSA:
* <code>MD5:fb:a0:92:ad:5b:49:d0:de:91:02:7d:29:f6:c1:2a:5c</code>
* <code>SHA256:WBXnBQtN8iqEOwAmRXbcx0ToKnD5yvZfeK0jSTYJCmM</code>

alex@ubuntu-15-10-wily-b2:~$ ./server-fingerprints.py gerrit.wikimedia.org 29418
;RSA:
* <code>MD5:dc:e9:68:7b:99:1b:27:d0:f9:fd:ce:6a:2e:bf:92:e1</code>
* <code>SHA256:j7HQoQ6fIuEgDHjONjI2CZ+2Iwxqgo2Ur5LbPqBgxOU</code>

alex@ubuntu-15-10-wily-b2:~$ ./server-fingerprints.py git-ssh.wikimedia.org
;RSA:
* <code>MD5:23:41:97:64:0d:5b:18:31:ab:12:06:ca:b7:c1:3f:8b</code>
* <code>SHA256:T/TrKqqVHY6sMhStF3L6Dtamh7Px01D+QSq7I/XUmNU</code>

;ECDSA:
* <code>MD5:90:2f:c4:cf:4b:96:d6:b3:30:14:94:b5:c7:16:38:15</code>
* <code>SHA256:YP7kNsPh4RBNiVRd3zPoUIfrjNtiMuqf07CdXFGnm9k</code>

;ED25519:
* <code>MD5:f1:3f:61:23:fe:36:90:b6:2b:e5:d5:0d:5b:2d:80:3a</code>
* <code>SHA256:xSBKhsRLfI3bRo8NaG5zD8WfIvmPQxaV7XM9hUvxbMs</code>

Looks good.

Done, posted the script I used to generate the pages to https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints
Still got a couple of production hosts to sort out

Krenair closed this task as Resolved.Oct 12 2015, 5:56 PM

Done those stat ones (by hand using ssh-keyscan on a production bastion and ssh-keygen in my VM, then copying everything manually into the template), added git-ssh (I also added bast2001/bast4001 recently), and protected all the fingerprint pages which weren't already protected.

Document labs SSH Fingerprints in sha256 formatClosed, ResolvedPublicActions

Description

Related Objects

Event Timeline

Document labs SSH Fingerprints in sha256 format
Closed, ResolvedPublic
Actions