From: Peter Palfrader <peter@palfrader.org>
Date: Thu, 1 Mar 2018 19:46:28 +0000 (+0100)
Subject: Also export a host's SSHFP records to additional dns names (sshfpHostname)
X-Git-Tag: userdir-ldap-0.3.93~20
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=fffbc0de74993899aadaa874539483810f83f4f2

Also export a host's SSHFP records to additional dns names (sshfpHostname)
---

diff --git a/ud-generate b/ud-generate
index 22eda37..cf49f0f 100755
--- a/ud-generate
+++ b/ud-generate
@@ -904,21 +904,33 @@ def ExtractDNSInfo(x):
 
    Algorithm = None
 
+   ssh_hostnames = [ hostname ]
+   if x[1].has_key("sshfpHostname"):
+      ssh_hostnames += [ h for h in x[1]["sshfpHostname"] ]
+
    if 'sshRSAHostKey' in x[1]:
       for I in x[1]["sshRSAHostKey"]:
          Split = I.split()
-         if Split[0] == 'ssh-rsa':
+         key_prefix = Split[0]
+         key = base64.decodestring(Split[1])
+
+         # RFC4255
+         # https://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xhtml
+         if key_prefix == 'ssh-rsa':
             Algorithm = 1
-         if Split[0] == 'ssh-dss':
+         if key_prefix == 'ssh-dss':
             Algorithm = 2
-         if Split[0] == 'ssh-ed25519':
+         if key_prefix == 'ssh-ed25519':
             Algorithm = 4
          if Algorithm == None:
             continue
-         Fingerprint = hashlib.new('sha1', base64.decodestring(Split[1])).hexdigest()
-         DNSInfo.append("%s.\t%sIN\tSSHFP\t%u 1 %s" % (hostname, TTLprefix, Algorithm, Fingerprint))
-         Fingerprint = hashlib.new('sha256', base64.decodestring(Split[1])).hexdigest()
-         DNSInfo.append("%s.\t%sIN\tSSHFP\t%u 2 %s" % (hostname, TTLprefix, Algorithm, Fingerprint))
+         # and more from the registry
+         sshfp_digest_codepoints = [ (1, 'sha1'), (2, 'sha256') ]
+
+         fingerprints = [ ( digest_codepoint, hashlib.new(algorithm, key).hexdigest() ) for digest_codepoint, algorithm in sshfp_digest_codepoints ]
+         for h in ssh_hostnames:
+            for digest_codepoint, fingerprint in fingerprints:
+               DNSInfo.append("%s.\t%sIN\tSSHFP\t%u %d %s" % (h, TTLprefix, Algorithm, digest_codepoint, fingerprint))
 
    if 'architecture' in x[1]:
       Arch = GetAttr(x, "architecture")
@@ -1154,7 +1166,8 @@ def get_hosts(ldap_conn):
    # Fetch all the hosts
    HostAttrs    = ldap_conn.search_s(HostBaseDn, ldap.SCOPE_ONELEVEL, "objectClass=debianServer",\
                    ["hostname", "sshRSAHostKey", "purpose", "allowedGroups", "exportOptions",\
-                    "mXRecord", "ipHostNumber", "dnsTTL", "machine", "architecture"])
+                    "mXRecord", "ipHostNumber", "dnsTTL", "machine", "architecture",
+                    "sshfpHostname"])
 
    if HostAttrs == None:
       raise UDEmptyList, "No Hosts"