You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Help:SSH Fingerprints: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Quiddity
(add "New fingerprint pages should be fully-protected.")
imported>Quiddity
(err, replace the whole line. I think that's what he meant (at phab:T174488))
Line 10: Line 10:
<syntaxhighlight lang="bash">for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done</syntaxhighlight>
<syntaxhighlight lang="bash">for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done</syntaxhighlight>


If your client shows the new base64 encoded format by default, use ssh -o FingerprintHash=md5 to compare to the format used here.
To get the ECDSA base64 fingerprint, login to the bastion for the host, then run the following command:
<syntaxhighlight lang="bash">ssh-keyscan -t ecdsa <hostname> 2>/dev/null | awk '{print $3}' | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64</syntaxhighlight>
 
If that doesn't work, you might try using <code>ssh -o FingerprintHash=md5</code> and comparing the MD5 checksum against the fingerprints on subpages here (or the fingerprint derived when attempting to SSH from the bastion host), or try the following Python code.


Remotely (and to format it for these pages), something like this should work:
Remotely (and to format it for these pages), something like this should work:

Revision as of 22:44, 29 August 2017

New fingerprint pages should be fully-protected. Here is a list of all sub-pages:

To find this information, locally you can just run this: 

gen_fingerprints

on any host (from ./modules/base/files/environment/gen_fingerprints), or...: 

for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done

To get the ECDSA base64 fingerprint, login to the bastion for the host, then run the following command: 

ssh-keyscan -t ecdsa <hostname> 2>/dev/null | awk '{print $3}' | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64

If that doesn't work, you might try using ssh -o FingerprintHash=md5 and comparing the MD5 checksum against the fingerprints on subpages here (or the fingerprint derived when attempting to SSH from the bastion host), or try the following Python code.

Remotely (and to format it for these pages), something like this should work: 

#!/usr/bin/python3
import sys
if len(sys.argv) == 0:
	print('Must specify hostname')
	sys.exit(0)
hostname = sys.argv[1]
port = 22
if len(sys.argv) > 2:
	port = sys.argv[2]

import collections, subprocess, tempfile
with tempfile.NamedTemporaryFile() as tf:
	keyscanCommand = 'ssh-keyscan', '-t', 'rsa,ecdsa,ed25519', '-p', str(port), hostname
	subprocess.call(keyscanCommand, stdout = tf.file, stderr = open('/dev/null'))

	fingerprints = collections.defaultdict(list)
	for fingerprintHash in ['md5', 'sha256']:
		keygenCommand = ['ssh-keygen', '-l', '-E', fingerprintHash, '-f', tf.name]
		keygenProcess = subprocess.Popen(keygenCommand, stdout = subprocess.PIPE)
		stdout, stderr = keygenProcess.communicate()
		for line in stdout.decode('ascii').splitlines():
			bitlen, fingerprint, hostname, type = line.split(' ')
			fingerprints[type[1:-1]].append(fingerprint)

	for type, keys in fingerprints.items():
		print(';' + type + ':')
		for key in keys:
			print('* <code>' + key + '</code>')
		print()

Assuming you have OpenSSH 6.8+ (Ubuntu 15.10 provides 6.9). If you don't, you'll need to get rid of the 'sha256' list entry and remove the "'-E', fingerprintHash, ".

Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=Help:SSH_Fingerprints&oldid=288138"