SSHFP record creation should scan nonstandard SSH port if necessary (#974)

* sshfp records from nonstandard ports If port 22 is not open, dns_update.py will not create SSHFP records because it only scans port 22 for keys. This commit modifies dns_update.py to parse the sshd_config file for open ports, and then obtains keys from one of them (even if port 22 is not open). * modified test of s per JoshData request * edit CHANGELOG per JoshData * fix typo
2025-10-30 18:50:53 +00:00 · 2016-10-15 14:36:13 -05:00 · 2016-10-15 14:36:13 -05:00 · bbe27df413
commit bbe27df413
parent a658abc95f
2 changed files with 13 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,7 @@ Control panel:

 * Remove recommendations for Certificate Providers
 * Status checks failed if the system doesn't support iptables
+* Add support for SSHFP records when sshd listens on non-standard ports

 v0.20 (September 23, 2016)
 --------------------------
--- a/management/dns_update.py
+++ b/management/dns_update.py
@ -348,7 +348,18 @@ def build_sshfp_records():
 	# like the known_hosts file: hostname, keytype, fingerprint. The order
 	# of the output is arbitrary, so sort it to prevent spurrious updates
 	# to the zone file (that trigger bumping the serial number).
-	keys = shell("check_output", ["ssh-keyscan", "localhost"])
+
+	# scan the sshd_config and find the ssh ports (port 22 may be closed)
+	with open('/etc/ssh/sshd_config', 'r') as f:
+		ports = []
+		t = f.readlines()
+		for line in t:
+			s = line.split()
+			if len(s) == 2 and s[0] == 'Port':
+				ports = ports + [s[1]]
+	# the keys are the same at each port, so we only need to get
+	# them at the first port found (may not be port 22)
+	keys = shell("check_output", ["ssh-keyscan", "-p", ports[0], "localhost"])
 	for key in sorted(keys.split("\n")):
 		if key.strip() == "" or key[0] == "#": continue
 		try: