From bbe27df413c64ae0be3585263c7edee0b1511294 Mon Sep 17 00:00:00 2001 From: rxcomm Date: Sat, 15 Oct 2016 14:36:13 -0500 Subject: [PATCH] SSHFP record creation should scan nonstandard SSH port if necessary (#974) * sshfp records from nonstandard ports If port 22 is not open, dns_update.py will not create SSHFP records because it only scans port 22 for keys. This commit modifies dns_update.py to parse the sshd_config file for open ports, and then obtains keys from one of them (even if port 22 is not open). * modified test of s per JoshData request * edit CHANGELOG per JoshData * fix typo --- CHANGELOG.md | 1 + management/dns_update.py | 13 ++++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1750be0..1dccf38c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Control panel: * Remove recommendations for Certificate Providers * Status checks failed if the system doesn't support iptables +* Add support for SSHFP records when sshd listens on non-standard ports v0.20 (September 23, 2016) -------------------------- diff --git a/management/dns_update.py b/management/dns_update.py index d7bbdfd0..784a5b08 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -348,7 +348,18 @@ def build_sshfp_records(): # like the known_hosts file: hostname, keytype, fingerprint. The order # of the output is arbitrary, so sort it to prevent spurrious updates # to the zone file (that trigger bumping the serial number). - keys = shell("check_output", ["ssh-keyscan", "localhost"]) + + # scan the sshd_config and find the ssh ports (port 22 may be closed) + with open('/etc/ssh/sshd_config', 'r') as f: + ports = [] + t = f.readlines() + for line in t: + s = line.split() + if len(s) == 2 and s[0] == 'Port': + ports = ports + [s[1]] + # the keys are the same at each port, so we only need to get + # them at the first port found (may not be port 22) + keys = shell("check_output", ["ssh-keyscan", "-p", ports[0], "localhost"]) for key in sorted(keys.split("\n")): if key.strip() == "" or key[0] == "#": continue try: