URL: https://github.com/freeipa/freeipa/pull/385 Author: stlaz Title: #385: Generate sha256 ssh pubkey fingerprints for hosts Action: opened
PR body: """ Replace md5 with sha256 for host ssh pubkey fingerprints. MD5 is disabled in FIPS mode, newer versions of OpenSSH print SHA256 public key fingeprint anyway. https://fedorahosted.org/freeipa/ticket/5695 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/385/head:pr385 git checkout pr385
From 9863d201ca2bb116adfe57e4a83527d663389a57 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Mon, 12 Dec 2016 16:59:48 +0100 Subject: [PATCH] Generate sha256 ssh pubkey fingerprints for hosts Replace md5 with sha256 for host ssh pubkey fingerprints https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/util.py | 2 +- ipapython/ssh.py | 9 +++++---- ipatests/test_xmlrpc/test_host_plugin.py | 2 +- ipatests/test_xmlrpc/test_idviews_plugin.py | 2 +- ipatests/test_xmlrpc/test_stageuser_plugin.py | 2 +- ipatests/test_xmlrpc/test_user_plugin.py | 2 +- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 2 +- 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 1c00cd7..81c0e9e 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -301,7 +301,7 @@ def convert_sshpubkey_post(entry_attrs): except (ValueError, UnicodeDecodeError): continue - fp = pubkey.fingerprint_hex_md5() + fp = pubkey.fingerprint_hex_sha256() comment = pubkey.comment() if comment: fp = u'%s %s' % (fp, comment) diff --git a/ipapython/ssh.py b/ipapython/ssh.py index c76cf51..1e72dd5 100644 --- a/ipapython/ssh.py +++ b/ipapython/ssh.py @@ -190,10 +190,11 @@ def openssh(self): return out - def fingerprint_hex_md5(self): - fp = md5(self._key).hexdigest().upper() - fp = u':'.join([fp[j:j+2] for j in range(0, len(fp), 2)]) - return fp + def fingerprint_hex_sha256(self): + # OpenSSH trims the trailing '=' of base64 sha256 FP representation + # Using unicode argument converts the result to unicode object + fp = base64.b64encode(sha256(self._key).digest()).rstrip(u'=') + return 'SHA256:{fp}'.format(fp=fp) def _fingerprint_dns(self, fpfunc, fptype): if self._keytype == 'ssh-rsa': diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index b36c6b8..35a8401 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -84,7 +84,7 @@ ipv6_fromip_ptr_dn = DN(('idnsname', ipv6_fromip_ptr), revipv6zone_dn) sshpubkey = u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6XHBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGIwA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNmcSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM019Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF0L public key test' -sshpubkeyfp = u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B public key test (ssh-rsa)' +sshpubkeyfp = u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE public key test (ssh-rsa)' user1 = u'tuser1' user2 = u'tuser2' diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index b1bb5ab..13e8862 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -66,7 +66,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..89ffc1a 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -40,7 +40,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') options_def = OrderedDict([ diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578..8f1ff38 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -55,7 +55,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)') validlanguages = { diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..3b05460 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -24,7 +24,7 @@ 'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01' '9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF' '0L public key test') -sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B ' +sshpubkeyfp = (u'cStA9o5TRSARbeketEOooMUMSWRSsArIAXloBZ4vNsE ' 'public key test (ssh-rsa)')
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code