phone-home should send full keys, not just fingerprints
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| awstrial |
Triaged
|
Low
|
Unassigned | ||
Bug Description
templates/
hn=$1; set -e; f=$(mktemp); trap "rm -f '$f'" EXIT;
ssh-keyscan -t rsa,dsa localhost 2>/dev/null > "$f"
[ -n "${hn}" ] && sed -i "s,localhost,
ssh-keygen -lf "$f"
That final ssh-keygen makes output similar to what you'd see on the ec2 console or when you connect to a new host via 'ssh <hostname>'. It is the host key MD5 fingerprint. It is useful for a human to verify that the node matches when they ssh, but not so useful for automation.
Ie, both paramiko and ssh can't use the md5 fingerprint as is. Instead, you have to have the full output. It would be more useful if the above just ended with:
cat "$f"
The reason I didn't do that initially, is that then the server would have to read that and translate it to show the user something useful.
On the server, the string:
a='localhost ssh-rsa AAAAB3NzaC1yc2E
Can be turned into a fingerprint for display by:
def line2key(line):
import paramiko, base64
from binascii import hexlify
(host,
if ktype == "ssh-rsa": pkey=paramiko.
else: pkey=paramiko.
hexstr = hexlify(
fp = ':'.join(
print fp
The real benefit of having the whole key is that you could then write a known_hosts file or create a paramiko RSA/DSS Key to connect and verify connection with.
| Scott Moser (smoser) wrote | #1 |
| Changed in awstrial: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Bob Van Zant (bobveznat) wrote | #2 |
| Scott Moser (smoser) wrote | #3 |
The above suggestion is probably a bit over engineered. you don't need paramiko. I verified :
echo "${KEY}" | base64 --decode | md5sum | awk '{print $1}' | sed -e 's,\(..\),\1:,g' -e 's/:$//'
gives the same. so no need for paramiko just for this.