diff --git a/launch/sshfp.py b/launch/sshfp.py index 7c7d3f0450..2babf7673d 100755 --- a/launch/sshfp.py +++ b/launch/sshfp.py @@ -3,19 +3,32 @@ import argparse import subprocess -def generate_sshfp_records(hostname, ip): +def generate_sshfp_records(hostname, ip, local): '''Given a hostname and and IP address, scan the IP address (hostname not in dns yet) and return a bind string with sshfp records''' - s = subprocess.run(['ssh-keyscan', '-D', ip], + if local: + p = ['ssh-keyscan', '-D', ip] + else: + # Handle being run via sudo which is the usual way + # this is run. + p = ['ssh', '-o', 'StrictHostKeyChecking=no', + '-i', '/root/.ssh/id_rsa', + 'root@%s' % ip, 'ssh-keygen', '-r', ip] + + s = subprocess.run(p, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.decode('utf-8') - fingerprints = [] for line in s.split('\n'): if not line: continue _, _, _, algo, key_type, fingerprint = line.split(' ') + # ssh-keygen on the host seems to return DSS/DSA keys, which + # aren't valid to log in and not shown by ssh-keyscan -D + # ... prune it. + if algo == '2': + continue fingerprints.append( (algo, key_type, fingerprint)) @@ -32,17 +45,19 @@ def generate_sshfp_records(hostname, ip): return ret -def sshfp_print_records(hostname, ip): - print(generate_sshfp_records(hostname, ip)) +def sshfp_print_records(hostname, ip, local=False): + print(generate_sshfp_records(hostname, ip, local)) def main(): parser = argparse.ArgumentParser() parser.add_argument("hostname", help="hostname") parser.add_argument("ip", help="address to scan") + parser.add_argument("--local", action='store_true', + help="Run keyscan locally, rather than via ssh") args = parser.parse_args() - sshfp_print_records(args.hostname, args.ip) + sshfp_print_records(args.hostname, args.ip, args.local) if __name__ == '__main__': main()