Page MenuHomePhabricator

Add SSHFP dns records to bastions
Open, Stalled, LowPublic


Since Horizon supports it now, we can add ssh fingerprints to DNS to allow people to easily verify them.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2016, 10:51 PM
chasemp triaged this task as Low priority.May 31 2016, 3:25 PM

This should be trivial for bastion (and tools, which has it's own bastion?) projectadmins to do:

krenair@bastion-01:~$ ssh-keygen -r IN SSHFP 1 1 ad3b75b45ee16b8594439d73840772396c99d3fb IN SSHFP 1 2 7f3f61e323a7d75de08a2a6069b333e925cae260f4902017194002f226db8658 IN SSHFP 2 1 9a042e0e78ab1abf19ce7979b5570aca798ee034 IN SSHFP 2 2 18369baebbf4b623f41837a28e653fc15fbf72d20f31e15ba12810c324a943dc IN SSHFP 3 1 30456f68cad67c5f52c25c39c5a8baf309ab6598 IN SSHFP 3 2 b3ec6e2e8f753dc54815c15dc4f402ec85e02769d8c5a5dca9aedb284effb9f0 IN SSHFP 4 1 fc51eadaa3a17145657dbafd234d5bae53becc45 IN SSHFP 4 2 2296db90c208d102bebd489a8ba76f416879536f88c07d3ec57ab6552f5be351
krenair@tools-bastion-03:~$ ssh-keygen -r IN SSHFP 1 1 f9b98d018bafdbaf390d0fa603da6882bf7da9b4 IN SSHFP 1 2 78e034b15dee10a676c2e3cf433d848497d941c2e36534ebb6aed9465275a793 IN SSHFP 2 1 81491932175103262e207761cd2fc149df049ea1 IN SSHFP 2 2 cbd7461befdc188a3a36cc041b64f8cffb1de2e314c5a94d9cf531a4eba42b03 IN SSHFP 3 1 44e8d3f9c7f8a6b7cc024abe37b1915218528dbf IN SSHFP 3 2 4f26cdb48a0499469c6712a2f3705160fdd0f9331e2b9965c6e308e9db812844 IN SSHFP 4 1 8cc699d55f64202fc4478f82501cf815e986217f IN SSHFP 4 2 c433838e45b99ab1552c514dcf893df08fac2ec723db09d21d5faf8e0e8240f1

Mentioned in SAL [2016-08-04T00:18:53Z] <yuvipanda> added Krenair as admin to help with T132225 and other issues

Mentioned in SAL [2016-08-04T00:19:08Z] <yuvipanda> added Krenair as admin to help with T132225 and other issues.

AlexMonk-WMF added a comment.EditedAug 4 2016, 12:52 AM

I just tried this with, but Horizon won't let me create algorithm 4 (ED25519) fingerprint records. Also, Designate won't let me create algorithm 3 (ECDSA) or SHA256 records (the longer ones, with fingerprint type 2), it says Error: Provided object does not match schema
This makes SSH *really* hate logging in

AlexMonk-WMF added a comment.EditedAug 4 2016, 1:08 AM

Fix submitted upstream to designate-dashboard for validation of ED25519 records:

AlexMonk-WMF changed the task status from Open to Stalled.Aug 4 2016, 1:23 AM
AlexMonk-WMF added a project: Upstream.

Fix submitted upstream to designate for validation of ECDSA, ED25519 and SHA-256 records:
Marking this as stalled, I guess until we upgrade to Newton?

(Removing the SSHFP records until then)

The patches are merged, we'll probably need to wait for OpenStack Newton to use it (we currently run Liberty with labtesthorizon on Mitaka) unless they backport to Mitaka I guess.

So the Designate side of this (the bit that's really required) is being backported to Mitaka in

Okay I mentioned it during the designate meeting today and it's been approved - that's now on the mitaka stable branch. It'd probably become available through the mitaka packages once they release a new version of designate for mitaka, which would contain that patch.

scfc moved this task from Triage to Backlog on the Toolforge board.Dec 4 2016, 8:44 PM

AFAICT, new packages have not been released yet. To check, I downloaded python-designate_1~2.0.0-2~bpo8+1_all.deb from and looked at /usr/lib/python2.7/dist-packages/designate/schema/ in that package which currently contains the line:

RE_SSHFP_FINGERPRINT = r'^[0-9A-Fa-f]{40}\Z'

and which, for @Krenair's patch to have been applied, should say:

RE_SSHFP_FINGERPRINT = r'^([0-9A-Fa-f]{10,40}|[0-9A-Fa-f]{64})\Z'

(Yes, the timestamp of the package would have been a clue as well, but I wanted to verify where the patch would show up and which version does not have the patch applied.)