RFC_6594_SSHFP_DNS_records#

__NOTOC__

#2642 Add support for enhanced SSHFP DNS records per RFC 6594

Overview#

IPA supports automatic update of SSHFP DNS records for managed hosts in the ipa-client-install script and in host-* commands. The support is currently limited to the original SSHFP specification from RFC 4255; SSHFP records generated by IPA contain SHA-1 fingerprints of RSA and DSS host keys.

Recently, RFC 6594 was released. It extends the original SSHFP specification with support for SHA-256 fingerprints and ECDSA host keys.

Add support for RFC 6594 SSHFP records to IPA, generate both SHA-1 and SHA-256 fingerprints for RSA, DSS and ECDSA host keys.

Use Cases#

Automatic generation of SSHFP DNS records on IPA client install:

| ``# ipa-client-install``
| ``Discovery was successful!``
| ``Hostname: host1.example.com``
| ``Realm: EXAMPLE.COM``
| ``DNS Domain: example.com``
| ``IPA Server: ipa.example.com``
| ``BaseDN: dc=example,dc=com``
| ``Continue to configure the system with these values? [no]: yes``
| ``User authorized to enroll computers: admin``
| ``Synchronizing time with KDC...``
| ``Password for admin@EXAMPLE.COM: ``
| ``Enrolled in IPA realm EXAMPLE.COM``
| ``Created /etc/ipa/default.conf``
| ``New SSSD config will be created``
| ``Configured /etc/sssd/sssd.conf``
| ``Configured /etc/krb5.conf for IPA realm EXAMPLE.COM``
| ``trying ``\ ```https://ipa.example.com/ipa/xml`` <https://ipa.example.com/ipa/xml>`__
| ``Hostname (host1.example.com) not found in DNS``
| ``DNS server record set to: host1.example.com -> 192.168.1.1``
| ``Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub``
| ``Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub``
| ``Forwarding 'host_mod' to server u'``\ ```https://ipa.example.com/ipa/xml`` <https://ipa.example.com/ipa/xml>`__\ ``'``
| ``SSSD enabled``
| ``Configured /etc/openldap/ldap.conf``
| ``NTP enabled``
| ``Configured /etc/ssh/ssh_config``
| ``Configured /etc/ssh/sshd_config``
| ``Client configuration complete.``
$ dig host1.example.com SSHFP +short
2 2 0E04A7E09D037934492108ED5590612416BE736AD1BCAEAE1EA4148E 80C956E2
2 1 F2A1353FF919AD785B6BD42B588F6236D1F67459
1 2 3E475EEAF17975C36EE1413DDD659275FDD19C97C2C74A3651BA12F7 52E12A18
1 1 A308B1B02A8B43CB5192E26FA50280F752BB3A14

Automatic generation of SSHFP DNS records when modifying a host:

$ ipa host-mod host2.example.com --updatedns --sshpubkey='ssh-rsa ``\ ``' --sshpubkey='ssh-dss ``\ ``' --sshpubkey='ecdsa-sha2-nistp256 ``\ ``'
---------------------------------------------
Modified host "host2.example.com"
---------------------------------------------
``  Host name: host2.example.com``
``  Principal name: host/host2.example.com@EXAMPLE.COM``
``  MAC address: 00:11:22:33:44:55``
``  SSH public key: ecdsa-sha2-nistp256 \ ``,
``                  ssh-dss \ ``,
``                  ssh-rsa ``
``  Keytab: True``
``  Managed by: host2.example.com``
``  SSH public key fingerprint: 6C:9F:07:51:63:36:32:8B:ED:CF:8C:4C:5F:F2:BF:AE (ecdsa-sha2-nistp256),``
``                              07:5D:0D:55:64:62:A3:FE:02:AE:FC:CD:F6:ED:E1:D9 (ssh-dss),``
``                              8C:C3:27:A8:40:9F:80:01:61:99:D2:25:55:A3:52:30 (ssh-rsa)``
$ dig host2.example.com SSHFP +short
2 2 43FFD792089442F08892CA753059FD8B7FA939E990CE4687A3D1FB75 E0B8F6DE
2 1 4C2C50EDEAE6BC6107A37EAE7A05694C15CFEC53
3 1 B1D733A262E29B44A4D8A9FAF4B3B9E78302D1DB
1 2 E5382308CFD60DE4F0ACF3BCB0366314EECFC71030A28AAF75280041 5FDF81A8
3 2 545055E921E94128AF6BFE68E6E2804333628F7808B8EAE10E297B11 3270862F
1 1 DA7A6687AE4B2C242E12A67DACDC67D26E374AD5

Design#

Implement support for SHA-256 fingerprints and ECDSA keys in SSHFP records in the ipapython.ssh module (add new method fingerprint_dns_sha256).

Extend ipa-client-install and the host plugin to add all types of SSHFP records to DNS.

Implementation#

N/A

Feature Managment#

N/A

Major configuration options and enablement#

N/A

Replication#

N/A

Updates and Upgrades#

N/A

Dependencies#

N/A

External Impact#

N/A

RFE Author#

Jan Cholasta