launch-node: get sshfp entries from the host

It turns out bionic ssh-keygen doesn't have the "-D" to produce the
sshfp records; switch to logging in and getting these via "ssh-keygen
-r" on the host.

Change-Id: Icb6efd7c4fd9623af24e58c69f8a188a4c1fb4c9
This commit is contained in:
Ian Wienand 2020-08-05 14:36:15 +10:00
parent c20b778cc1
commit e819c26cad

View File

@ -3,19 +3,32 @@
import argparse
import subprocess
def generate_sshfp_records(hostname, ip):
def generate_sshfp_records(hostname, ip, local):
'''Given a hostname and and IP address, scan the IP address (hostname
not in dns yet) and return a bind string with sshfp records'''
s = subprocess.run(['ssh-keyscan', '-D', ip],
if local:
p = ['ssh-keyscan', '-D', ip]
else:
# Handle being run via sudo which is the usual way
# this is run.
p = ['ssh', '-o', 'StrictHostKeyChecking=no',
'-i', '/root/.ssh/id_rsa',
'root@%s' % ip, 'ssh-keygen', '-r', ip]
s = subprocess.run(p,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).stdout.decode('utf-8')
fingerprints = []
for line in s.split('\n'):
if not line:
continue
_, _, _, algo, key_type, fingerprint = line.split(' ')
# ssh-keygen on the host seems to return DSS/DSA keys, which
# aren't valid to log in and not shown by ssh-keyscan -D
# ... prune it.
if algo == '2':
continue
fingerprints.append(
(algo, key_type, fingerprint))
@ -32,17 +45,19 @@ def generate_sshfp_records(hostname, ip):
return ret
def sshfp_print_records(hostname, ip):
print(generate_sshfp_records(hostname, ip))
def sshfp_print_records(hostname, ip, local=False):
print(generate_sshfp_records(hostname, ip, local))
def main():
parser = argparse.ArgumentParser()
parser.add_argument("hostname", help="hostname")
parser.add_argument("ip", help="address to scan")
parser.add_argument("--local", action='store_true',
help="Run keyscan locally, rather than via ssh")
args = parser.parse_args()
sshfp_print_records(args.hostname, args.ip)
sshfp_print_records(args.hostname, args.ip, args.local)
if __name__ == '__main__':
main()