You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Help:SSH Fingerprints: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Dzahn
m (info about gen_fingerprints that is meanwhile installed everywhere)
imported>Quiddity
(add "New fingerprint pages should be fully-protected.")
Line 1: Line 1:
New fingerprint pages should be fully-protected. Here is a list of all sub-pages:
{{Special:PrefixIndex/{{FULLPAGENAME}}/}}
{{Special:PrefixIndex/{{FULLPAGENAME}}/}}


Revision as of 17:33, 19 July 2017

New fingerprint pages should be fully-protected. Here is a list of all sub-pages:

To find this information, locally you can just run this: 

gen_fingerprints

on any host (from ./modules/base/files/environment/gen_fingerprints), or...: 

for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done

If your client shows the new base64 encoded format by default, use ssh -o FingerprintHash=md5 to compare to the format used here.

Remotely (and to format it for these pages), something like this should work: 

#!/usr/bin/python3
import sys
if len(sys.argv) == 0:
	print('Must specify hostname')
	sys.exit(0)
hostname = sys.argv[1]
port = 22
if len(sys.argv) > 2:
	port = sys.argv[2]

import collections, subprocess, tempfile
with tempfile.NamedTemporaryFile() as tf:
	keyscanCommand = 'ssh-keyscan', '-t', 'rsa,ecdsa,ed25519', '-p', str(port), hostname
	subprocess.call(keyscanCommand, stdout = tf.file, stderr = open('/dev/null'))

	fingerprints = collections.defaultdict(list)
	for fingerprintHash in ['md5', 'sha256']:
		keygenCommand = ['ssh-keygen', '-l', '-E', fingerprintHash, '-f', tf.name]
		keygenProcess = subprocess.Popen(keygenCommand, stdout = subprocess.PIPE)
		stdout, stderr = keygenProcess.communicate()
		for line in stdout.decode('ascii').splitlines():
			bitlen, fingerprint, hostname, type = line.split(' ')
			fingerprints[type[1:-1]].append(fingerprint)

	for type, keys in fingerprints.items():
		print(';' + type + ':')
		for key in keys:
			print('* <code>' + key + '</code>')
		print()

Assuming you have OpenSSH 6.8+ (Ubuntu 15.10 provides 6.9). If you don't, you'll need to get rid of the 'sha256' list entry and remove the "'-E', fingerprintHash, ".

Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=Help:SSH_Fingerprints&oldid=287625"