launch-node: get sshfp entries from the host
It turns out bionic ssh-keygen doesn't have the "-D" to produce the sshfp records; switch to logging in and getting these via "ssh-keygen -r" on the host. Change-Id: Icb6efd7c4fd9623af24e58c69f8a188a4c1fb4c9
This commit is contained in:
parent
c20b778cc1
commit
e819c26cad
@ -3,19 +3,32 @@
|
||||
import argparse
|
||||
import subprocess
|
||||
|
||||
def generate_sshfp_records(hostname, ip):
|
||||
def generate_sshfp_records(hostname, ip, local):
|
||||
'''Given a hostname and and IP address, scan the IP address (hostname
|
||||
not in dns yet) and return a bind string with sshfp records'''
|
||||
|
||||
s = subprocess.run(['ssh-keyscan', '-D', ip],
|
||||
if local:
|
||||
p = ['ssh-keyscan', '-D', ip]
|
||||
else:
|
||||
# Handle being run via sudo which is the usual way
|
||||
# this is run.
|
||||
p = ['ssh', '-o', 'StrictHostKeyChecking=no',
|
||||
'-i', '/root/.ssh/id_rsa',
|
||||
'root@%s' % ip, 'ssh-keygen', '-r', ip]
|
||||
|
||||
s = subprocess.run(p,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE).stdout.decode('utf-8')
|
||||
|
||||
fingerprints = []
|
||||
for line in s.split('\n'):
|
||||
if not line:
|
||||
continue
|
||||
_, _, _, algo, key_type, fingerprint = line.split(' ')
|
||||
# ssh-keygen on the host seems to return DSS/DSA keys, which
|
||||
# aren't valid to log in and not shown by ssh-keyscan -D
|
||||
# ... prune it.
|
||||
if algo == '2':
|
||||
continue
|
||||
fingerprints.append(
|
||||
(algo, key_type, fingerprint))
|
||||
|
||||
@ -32,17 +45,19 @@ def generate_sshfp_records(hostname, ip):
|
||||
return ret
|
||||
|
||||
|
||||
def sshfp_print_records(hostname, ip):
|
||||
print(generate_sshfp_records(hostname, ip))
|
||||
def sshfp_print_records(hostname, ip, local=False):
|
||||
print(generate_sshfp_records(hostname, ip, local))
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("hostname", help="hostname")
|
||||
parser.add_argument("ip", help="address to scan")
|
||||
parser.add_argument("--local", action='store_true',
|
||||
help="Run keyscan locally, rather than via ssh")
|
||||
args = parser.parse_args()
|
||||
|
||||
sshfp_print_records(args.hostname, args.ip)
|
||||
sshfp_print_records(args.hostname, args.ip, args.local)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
Loading…
Reference in New Issue
Block a user