You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Difference between revisions of "Help:SSH Fingerprints"

From Wikitech-static
Jump to navigation Jump to search
imported>Krinkle
imported>Legoktm
(→‎Collecting or updating fingerprints: you can also use config-master)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
New fingerprint pages should be fully-protected. Here is a list of all sub-pages:
'''SSH fingerprints''' of host keys for Wikimedia bastion servers in the production, Cloud VPS, and Toolforge environments. These can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server.
{{Special:PrefixIndex/{{FULLPAGENAME}}/|hideredirects=1}}


Note to maintainers, new fingerprint pages should be fully-protected when created to prevent tampering.
== Fingerprints ==
{{Special:PrefixIndex/{{FULLPAGENAME}}/|stripprefix=1}}
== Collecting or updating fingerprints ==
You can download fingerprints for the entire Wikimedia cluster from https://config-master.wikimedia.org/, which is available publicly.<syntaxhighlight lang="bash">
curl "https://config-master.wikimedia.org/known_hosts.ecdsa" -o ~/.ssh/known_hosts
</syntaxhighlight>
===From within the Wikimedia networks===
To find this information, locally you can just run this:
To find this information, locally you can just run this:


Line 15: Line 25:
If that doesn't work, you might try using <code>ssh -o FingerprintHash=md5</code> and comparing the MD5 checksum against the fingerprints on subpages here (or the fingerprint derived when attempting to SSH from the bastion host), or try the following Python code.
If that doesn't work, you might try using <code>ssh -o FingerprintHash=md5</code> and comparing the MD5 checksum against the fingerprints on subpages here (or the fingerprint derived when attempting to SSH from the bastion host), or try the following Python code.


===From a remote host===
Remotely (and to format it for these pages), something like this should work:
Remotely (and to format it for these pages), something like this should work:
<syntaxhighlight lang="python3">#!/usr/bin/python3
<syntaxhighlight lang="python3">#!/usr/bin/python3
Line 44: Line 55:
for key in keys:
for key in keys:
print('* <code>' + key + '</code>')
print('* <code>' + key + '</code>')
print()</syntaxhighlight>Assuming you have OpenSSH 6.8+ (Ubuntu 15.10 provides 6.9). If you don't, you'll need to get rid of the 'sha256' list entry and remove the "'-E', fingerprintHash, ".
print()
</syntaxhighlight>
Assuming you have OpenSSH 6.8+ (Ubuntu 15.10 provides 6.9). If you don't, you'll need to get rid of the 'sha256' list entry and remove the "'-E', fingerprintHash, ".

Latest revision as of 01:45, 17 December 2020

SSH fingerprints of host keys for Wikimedia bastion servers in the production, Cloud VPS, and Toolforge environments. These can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server.

Note to maintainers, new fingerprint pages should be fully-protected when created to prevent tampering.

Fingerprints

Collecting or updating fingerprints

You can download fingerprints for the entire Wikimedia cluster from https://config-master.wikimedia.org/, which is available publicly.

curl "https://config-master.wikimedia.org/known_hosts.ecdsa" -o ~/.ssh/known_hosts

From within the Wikimedia networks

To find this information, locally you can just run this:

gen_fingerprints

on any host (from ./modules/base/files/environment/gen_fingerprints), or...:

for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done

To get the ECDSA base64 fingerprint, login to the bastion for the host, then run the following command:

ssh-keyscan -t ecdsa <hostname> 2>/dev/null | awk '{print $3}' | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64

If that doesn't work, you might try using ssh -o FingerprintHash=md5 and comparing the MD5 checksum against the fingerprints on subpages here (or the fingerprint derived when attempting to SSH from the bastion host), or try the following Python code.

From a remote host

Remotely (and to format it for these pages), something like this should work:

#!/usr/bin/python3
import sys
if len(sys.argv) == 0:
	print('Must specify hostname')
	sys.exit(0)
hostname = sys.argv[1]
port = 22
if len(sys.argv) > 2:
	port = sys.argv[2]

import collections, subprocess, tempfile
with tempfile.NamedTemporaryFile() as tf:
	keyscanCommand = 'ssh-keyscan', '-t', 'rsa,ecdsa,ed25519', '-p', str(port), hostname
	subprocess.call(keyscanCommand, stdout = tf.file, stderr = open('/dev/null'))

	fingerprints = collections.defaultdict(list)
	for fingerprintHash in ['md5', 'sha256']:
		keygenCommand = ['ssh-keygen', '-l', '-E', fingerprintHash, '-f', tf.name]
		keygenProcess = subprocess.Popen(keygenCommand, stdout = subprocess.PIPE)
		stdout, stderr = keygenProcess.communicate()
		for line in stdout.decode('ascii').splitlines():
			bitlen, fingerprint, hostname, type = line.split(' ')
			fingerprints[type[1:-1]].append(fingerprint)

	for type, keys in fingerprints.items():
		print(';' + type + ':')
		for key in keys:
			print('* <code>' + key + '</code>')
		print()

Assuming you have OpenSSH 6.8+ (Ubuntu 15.10 provides 6.9). If you don't, you'll need to get rid of the 'sha256' list entry and remove the "'-E', fingerprintHash, ".