phone-home should send full keys, not just fingerprints

Bug #654941 reported by Scott Moser on 2010-10-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
awstrial
Low
Unassigned

Bug Description

templates/cloud-init/phone-home currently does:

hn=$1; set -e; f=$(mktemp); trap "rm -f '$f'" EXIT;
ssh-keyscan -t rsa,dsa localhost 2>/dev/null > "$f"
[ -n "${hn}" ] && sed -i "s,localhost,${hn}," "$f"
ssh-keygen -lf "$f"

That final ssh-keygen makes output similar to what you'd see on the ec2 console or when you connect to a new host via 'ssh <hostname>'. It is the host key MD5 fingerprint. It is useful for a human to verify that the node matches when they ssh, but not so useful for automation.

Ie, both paramiko and ssh can't use the md5 fingerprint as is. Instead, you have to have the full output. It would be more useful if the above just ended with:
  cat "$f"

The reason I didn't do that initially, is that then the server would have to read that and translate it to show the user something useful.

On the server, the string:
a='localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1ejjTOFgo1DAmMfbk+G8Qrs3rk4ovvBelcoRslD94WY8Wyh1U44rSvFY6yE6cglIzCDP9SVF5HcmJEaaXSbkzYz9hSP1pJ9dtetWnHFfcvi8acVJEMRmT8x7PHyfhOwcXLTuglViTJM+hrnHFq8dvDAuLGCG5NMvOqK8LwQQPLE6Oqlm/7yl2ahh/Tmi3FbgHBYdDcv4CQxPQ240JrCoJSvnIbEzWNxxPUBwKuCo9iSOGkk+vDxISFo/qAzdI+t+GGOYq2py4KKeSmoIwecoBOUmY6JCRCJ7fHb26Gl8lH9oSx7g14bwdToCarJi7T2RiE5E+MbrGczl0WgTcwlIfQ=='

Can be turned into a fingerprint for display by:

def line2key(line):
   import paramiko, base64
   from binascii import hexlify
   (host,ktype,key)=line.split()
   if ktype == "ssh-rsa": pkey=paramiko.RSAKey(data=base64.decodestring(key))
   else: pkey=paramiko.DSSKey(data=base64.decodestring(key))
   hexstr = hexlify(pkey.get_fingerprint())
   fp = ':'.join(hexstr[i:i+2] for i in range(0, len(hexstr), 2))
   print fp

The real benefit of having the whole key is that you could then write a known_hosts file or create a paramiko RSA/DSS Key to connect and verify connection with.

Scott Moser (smoser) wrote :

The above suggestion is probably a bit over engineered. you don't need paramiko. I verified :

echo "${KEY}" | base64 --decode | md5sum | awk '{print $1}' | sed -e 's,\(..\),\1:,g' -e 's/:$//'

gives the same. so no need for paramiko just for this.

Scott Moser (smoser) on 2010-10-05
Changed in awstrial:
importance: Undecided → Low
status: New → Triaged
Bob Van Zant (bobveznat) wrote :

I'm pretty sure this is now fixed.

cloud-init/write-ssh-key-fingerprints now dumps the entire set of host public keys into the EC2 console log.

Scott Moser (smoser) wrote :

well, this bug is with regard to the fingerprint that is sent back to the awstrial server for the instance. it was just sending home the hash of the key, rather than just the full fingerprint.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers