Page MenuHomePhabricator

Add SSHFP dns records to bastions
Open, Stalled, LowPublic

Description

Since Horizon supports it now, we can add ssh fingerprints to DNS to allow people to easily verify them.

Related Objects

StatusAssignedTask
StalledNone
Openaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedPapaul
Openaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedPapaul
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
Resolvedaborrero
ResolvedAndrew
Resolvedaborrero
Resolvedaborrero
ResolvedAndrew
Resolvedaborrero
Resolvedaborrero
Openaborrero

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2016, 10:51 PM
chasemp triaged this task as Low priority.May 31 2016, 3:25 PM

This should be trivial for bastion (and tools, which has it's own bastion?) projectadmins to do:

krenair@bastion-01:~$ ssh-keygen -r bastion.wmflabs.org
bastion.wmflabs.org IN SSHFP 1 1 ad3b75b45ee16b8594439d73840772396c99d3fb
bastion.wmflabs.org IN SSHFP 1 2 7f3f61e323a7d75de08a2a6069b333e925cae260f4902017194002f226db8658
bastion.wmflabs.org IN SSHFP 2 1 9a042e0e78ab1abf19ce7979b5570aca798ee034
bastion.wmflabs.org IN SSHFP 2 2 18369baebbf4b623f41837a28e653fc15fbf72d20f31e15ba12810c324a943dc
bastion.wmflabs.org IN SSHFP 3 1 30456f68cad67c5f52c25c39c5a8baf309ab6598
bastion.wmflabs.org IN SSHFP 3 2 b3ec6e2e8f753dc54815c15dc4f402ec85e02769d8c5a5dca9aedb284effb9f0
bastion.wmflabs.org IN SSHFP 4 1 fc51eadaa3a17145657dbafd234d5bae53becc45
bastion.wmflabs.org IN SSHFP 4 2 2296db90c208d102bebd489a8ba76f416879536f88c07d3ec57ab6552f5be351
krenair@tools-bastion-03:~$ ssh-keygen -r login.tools.wmflabs.org
login.tools.wmflabs.org IN SSHFP 1 1 f9b98d018bafdbaf390d0fa603da6882bf7da9b4
login.tools.wmflabs.org IN SSHFP 1 2 78e034b15dee10a676c2e3cf433d848497d941c2e36534ebb6aed9465275a793
login.tools.wmflabs.org IN SSHFP 2 1 81491932175103262e207761cd2fc149df049ea1
login.tools.wmflabs.org IN SSHFP 2 2 cbd7461befdc188a3a36cc041b64f8cffb1de2e314c5a94d9cf531a4eba42b03
login.tools.wmflabs.org IN SSHFP 3 1 44e8d3f9c7f8a6b7cc024abe37b1915218528dbf
login.tools.wmflabs.org IN SSHFP 3 2 4f26cdb48a0499469c6712a2f3705160fdd0f9331e2b9965c6e308e9db812844
login.tools.wmflabs.org IN SSHFP 4 1 8cc699d55f64202fc4478f82501cf815e986217f
login.tools.wmflabs.org IN SSHFP 4 2 c433838e45b99ab1552c514dcf893df08fac2ec723db09d21d5faf8e0e8240f1

Mentioned in SAL [2016-08-04T00:18:53Z] <yuvipanda> added Krenair as admin to help with T132225 and other issues

Mentioned in SAL [2016-08-04T00:19:08Z] <yuvipanda> added Krenair as admin to help with T132225 and other issues.

AlexMonk-WMF added a comment.EditedAug 4 2016, 12:52 AM

I just tried this with primary.bastion.wmflabs.org, but Horizon won't let me create algorithm 4 (ED25519) fingerprint records. Also, Designate won't let me create algorithm 3 (ECDSA) or SHA256 records (the longer ones, with fingerprint type 2), it says Error: Provided object does not match schema
This makes SSH *really* hate logging in

AlexMonk-WMF added a comment.EditedAug 4 2016, 1:08 AM

Fix submitted upstream to designate-dashboard for validation of ED25519 records:
https://review.openstack.org/350847

AlexMonk-WMF changed the task status from Open to Stalled.Aug 4 2016, 1:23 AM
AlexMonk-WMF added a project: Upstream.

Fix submitted upstream to designate for validation of ECDSA, ED25519 and SHA-256 records: https://review.openstack.org/350850
Marking this as stalled, I guess until we upgrade to Newton?

(Removing the primary.bastion.wmflabs.org SSHFP records until then)

The patches are merged, we'll probably need to wait for OpenStack Newton to use it (we currently run Liberty with labtesthorizon on Mitaka) unless they backport to Mitaka I guess.

So the Designate side of this (the bit that's really required) is being backported to Mitaka in https://review.openstack.org/#/c/374308/

Okay I mentioned it during the designate meeting today and it's been approved - that's now on the mitaka stable branch. It'd probably become available through the mitaka packages once they release a new version of designate for mitaka, which would contain that patch.

scfc moved this task from Triage to Backlog on the Toolforge board.Dec 4 2016, 8:44 PM

AFAICT, new packages have not been released yet. To check, I downloaded python-designate_1~2.0.0-2~bpo8+1_all.deb from http://mitaka-jessie.pkgs.mirantis.com/debian/pool/jessie-mitaka-backports/main/d/designate/ and looked at /usr/lib/python2.7/dist-packages/designate/schema/format.py in that package which currently contains the line:

RE_SSHFP_FINGERPRINT = r'^[0-9A-Fa-f]{40}\Z'

and which, for @Krenair's patch to have been applied, should say:

RE_SSHFP_FINGERPRINT = r'^([0-9A-Fa-f]{10,40}|[0-9A-Fa-f]{64})\Z'

(Yes, the timestamp of the package would have been a clue as well, but I wanted to verify where the patch would show up and which version does not have the patch applied.)