T5653: Command to display SSH server public key fingerprints

[JeffWDH]

Change Summary

As requested in T5653, a command that outputs the fingerprints of the SSH server public keys.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T5653

Related PR(s)

Component(s) name

show ssh fingerprints

Proposed changes

show ssh fingerprints - Lists ssh server fingerprints

How to test

Smoketest result

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[JeffWDH]

Made the following changes:

• Switched to using vyos.utils.process import cmd
• Changed the default to not show the ascii representation. There is a suboption "ascii" that will show it.

admin@vyos:~$ show ssh
Possible completions:
  fingerprints          Show SSH server public key fingerprints

admin@vyos:~$ show ssh fingerprints
Possible completions:
  <Enter>               Execute the current command
  ascii                 Show visual ASCII art representation of the public key

admin@vyos:~$ show ssh fingerprints
<output without ascii>

admin@vyos:~$ show ssh fingerprints ascii
<output with ascii>

[c-po]

It would be nice if you can squash the commits into one. Otherwise we will do it through the GitHub UI after the second approval and before the merge

[JeffWDH]

I was using the Github web UI to do the commits, I'm not entirely sure how do squash them on my end without pulling out the git CLI tools. If it's acceptable, if it could just get "squash and merged" that would be great.

[c-po]

Oh, so this is untested code?

That explains this:

[email protected]:~$ show ssh fingerprints
SSH server public key fingerprints:

1024 SHA256:3crnSWLXw5zEp+d3g5/EkTlUJFgrA6GpceF1n3DL6sk root@debian (DSA)

256 SHA256:1M1UzzIcHKcsaeS0ihyONwWJw1+KNjol57NVA7Ww6es root@debian (ED25519)
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show-ssh-fingerprints.py", line 37, in <module>
    print(cmd("ssh-keygen -l -E sha256 -f " + keyfile) + "\n", flush=True)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
    raise OSError(code, feedback)
OSError: [Errno 255] failed to run command: ssh-keygen -l -E sha256 -f /etc/ssh/ssh_host_key.pub
returned:
exit code: 255

[email protected]:~$ cat /etc/ssh/ssh_host_key.pub
2048 65537 26266345070040035390075444905797614923232616469258462119813463402614708637722072203026017276977760975575651603166395145349098061718785227465800646199622289377973585749026956792182712381471439548916581452317921548996656398046288571803367366699707045033374668655132681166438693488391283621752410651173809392795002328157251616538104614185023679711706725475757139969085328801659041194054003378895851623113875807759285352108371451242829957805482240239274785180421516981378841482999926203900577702607451027375471170716942461282229881573249920068288226026809236055473584998109342830017739622385909097594899142741609483381531 root@jessiedevel

[JeffWDH]

Oh, so this is untested code?

That explains this:

I wouldn't say untested, it works fine on my system... I'll test it against the public key you provided and will see if it acts up on my system as well.

admin@vyos:~$ cat /usr/libexec/vyos/op_mode/show-ssh-fingerprints.py
#!/usr/bin/env python3
#
# Copyright 2017-2023 VyOS maintainers and contributors <[email protected]>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library.  If not, see <http://www.gnu.org/licenses/>.

import sys
import glob
import argparse
from vyos.utils.process import cmd

# Parse command line
parser = argparse.ArgumentParser()
parser.add_argument("--ascii", help="Show visual ASCII art representation of the public key", action="store_true")
args = parser.parse_args()

# Get list of server public keys
publickeys = glob.glob("/etc/ssh/*.pub")

if publickeys:
    print("SSH server public key fingerprints:\n", flush=True)
    for keyfile in publickeys:
        if args.ascii:
            print(cmd("ssh-keygen -l -v -E sha256 -f " + keyfile) + "\n", flush=True)
        else:
            print(cmd("ssh-keygen -l -E sha256 -f " + keyfile) + "\n", flush=True)
else:
    print("No SSH server public keys are found.", flush=True)

sys.exit(0)
admin@vyos:~$

admin@vyos:~$ show ssh fingerprints
SSH server public key fingerprints:

1024 SHA256:EyT+ladQR7yL2uzCi9p7U3CjMmSrL+vpv7bVew3ie0I root@vyos (DSA)

256 SHA256:6hgo7Uhxo6UORWnvhKo9n+0V0ssMTfK96V8dd2dVJV0 root@debian (ECDSA)

3072 SHA256:Dy9PXHuLIy1TB7EnlzorU3Cq3YSNiBja8ICRTMghwxU root@debian (RSA)

256 SHA256:FpsnnJeuqlacYHwC7uz2rVxipG3znDn+Wu1xh7dxQx8 root@debian (ED25519)

admin@vyos:~$

[JeffWDH]

Weird. ssh-keygen does not like that file:

ssh-keygen -l -E sha256 -f /etc/ssh/test.pub
/etc/ssh/test.pub is not a public key file.

[JeffWDH]

I've added a try/except so it shouldn't throw an error when running into invalid .pub files now.

[c-po]

[email protected]:~$ show ssh fingerprints
SSH server public key fingerprints:

1024 SHA256:3crnSWLXw5zEp+d3g5/EkTlUJFgrA6GpceF1n3DL6sk root@debian (DSA)

256 SHA256:1M1UzzIcHKcsaeS0ihyONwWJw1+KNjol57NVA7Ww6es root@debian (ED25519)

256 SHA256:ZNkttl0LN1k85mZoyTgKaYPepoDjd4JaeuP6CuRzLms root@debian (ECDSA)

2048 SHA256:6TU/oexb+FarrkvhnlOo8KOZhJ4nOTIheeMfrFdCvOo root@debian (RSA)

[email protected]:~$ show ssh fingerprints ascii
SSH server public key fingerprints:

1024 SHA256:3crnSWLXw5zEp+d3g5/EkTlUJFgrA6GpceF1n3DL6sk root@debian (DSA)
+---[DSA 1024]----+
|        . +.oo+.o|
|       . = o.= =.|
|      . =   o *. |
|       + . . =. o|
|      . S . o o=.|
|         . + *.+o|
|          = E Oo.|
|         . * o.=+|
|            o .o=|
+----[SHA256]-----+

256 SHA256:1M1UzzIcHKcsaeS0ihyONwWJw1+KNjol57NVA7Ww6es root@debian (ED25519)
+--[ED25519 256]--+
|     . .oo. +o+..|
|      + o*.O =.* |
|       +=++ O * o|
|    . **o+oo . o |
|     B..S...     |
|    o o..o       |
|     . +.        |
|      ..         |
|        E        |
+----[SHA256]-----+

256 SHA256:ZNkttl0LN1k85mZoyTgKaYPepoDjd4JaeuP6CuRzLms root@debian (ECDSA)
+---[ECDSA 256]---+
|               ..|
|         o .   =.|
|      . = + = X .|
|     . B . * O * |
| .. . o S o + +  |
|oo . . o .       |
|oo+.. o          |
|.E*o o           |
|BB*oo            |
+----[SHA256]-----+

2048 SHA256:6TU/oexb+FarrkvhnlOo8KOZhJ4nOTIheeMfrFdCvOo root@debian (RSA)
+---[RSA 2048]----+
|                 |
|                 |
|   .             |
|    o    .       |
| . . .  S +..    |
|o +.o.o. +.*...  |
| + +++.o..*.+. . |
|  =o=+.o++.+...  |
| .E=+++. .BB+.   |
+----[SHA256]-----+

Works for me

[JeffWDH]

@Mergifyio backport sagitta

[mergify]

backport sagitta

❌ Command disallowed due to command restrictions in the Mergify configuration.

• sender-permission>=write

[sever-sever]

@Mergifyio backport sagitta

[mergify]

backport sagitta

✅ Backports have been created

• #2409 T5653: Command to display SSH server public key fingerprints (backport #2363) has been created for branch sagitta

[sever-sever]

@JeffWDH thanks for contribution!
Only maintainers could add backport request.

[JeffWDH]

@JeffWDH thanks for contribution! Only maintainers could add backport request.

Mergify put me in my spot pretty quickly for trying 😄 Can I ping you after this gets committed to do the same for #2369?

Thank you.