[Freeipa-devel] RFC 6594 DNS SSHFP records design doc
Jan Cholasta
jcholast at redhat.com
Wed Jan 9 16:21:47 UTC 2013
Hi,
you can find the design doc at
<http://freeipa.org/page/V3/RFC_6594_SSHFP_DNS_records>. It's also
inlined below.
Honza
= Overview =
IPA supports automatic update of SSHFP DNS records for managed hosts in
the <tt>ipa-client-install</tt> script and in <tt>host-*</tt> commands.
The support is currently limited to the original SSHFP specification
from RFC 4255; SSHFP records generated by IPA contain SHA-1 fingerprints
of RSA and DSS host keys.
Recently, RFC 6594 was released. It extends the original SSHFP
specification with support for SHA-256 fingerprints and ECDSA host keys.
Add support for RFC 6594 SSHFP records to IPA, generate both SHA-1 and
SHA-256 fingerprints for RSA, DSS and ECDSA host keys.
= Use Cases =
Automatic generation of SSHFP DNS records on IPA client install:
# ipa-client-install
Discovery was successful!
Hostname: host1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at EXAMPLE.COM:
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa.example.com/ipa/xml
Hostname (host1.example.com) not found in DNS
DNS server record set to: host1.example.com -> 192.168.1.1
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://ipa.example.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
$ dig host1.example.com SSHFP +short
2 2 0E04A7E09D037934492108ED5590612416BE736AD1BCAEAE1EA4148E 80C956E2
2 1 F2A1353FF919AD785B6BD42B588F6236D1F67459
1 2 3E475EEAF17975C36EE1413DDD659275FDD19C97C2C74A3651BA12F7 52E12A18
1 1 A308B1B02A8B43CB5192E26FA50280F752BB3A14
Automatic generation of SSHFP DNS records when modifying a host:
$ ipa host-mod host2.example.com --updatedns --sshpubkey='ssh-rsa
<data>' --sshpubkey='ssh-dss <data>' --sshpubkey='ecdsa-sha2-nistp256
<data>'
---------------------------------------------
Modified host "host2.example.com"
---------------------------------------------
Host name: host2.example.com
Principal name: host/host2.example.com at EXAMPLE.COM
MAC address: 00:11:22:33:44:55
SSH public key: ecdsa-sha2-nistp256 <data>,
ssh-dss <data>,
ssh-rsa <data>
Keytab: True
Managed by: host2.example.com
SSH public key fingerprint:
6C:9F:07:51:63:36:32:8B:ED:CF:8C:4C:5F:F2:BF:AE (ecdsa-sha2-nistp256),
07:5D:0D:55:64:62:A3:FE:02:AE:FC:CD:F6:ED:E1:D9 (ssh-dss),
8C:C3:27:A8:40:9F:80:01:61:99:D2:25:55:A3:52:30 (ssh-rsa)
$ dig host2.example.com SSHFP +short
2 2 43FFD792089442F08892CA753059FD8B7FA939E990CE4687A3D1FB75 E0B8F6DE
2 1 4C2C50EDEAE6BC6107A37EAE7A05694C15CFEC53
3 1 B1D733A262E29B44A4D8A9FAF4B3B9E78302D1DB
1 2 E5382308CFD60DE4F0ACF3BCB0366314EECFC71030A28AAF75280041 5FDF81A8
3 2 545055E921E94128AF6BFE68E6E2804333628F7808B8EAE10E297B11 3270862F
1 1 DA7A6687AE4B2C242E12A67DACDC67D26E374AD5
= Design=
Implement support for SHA-256 fingerprints and ECDSA keys in SSHFP
records in the <tt>ipapython.ssh</tt> module (add new method
<tt>fingerprint_dns_sha256</tt>).
Extend <tt>ipa-client-install</tt> and the <tt>host</tt> plugin to add
all types of SSHFP records to DNS.
= Implementation =
N/A
= Feature Managment =
N/A
= Major configuration options and enablement =
N/A
= Replication =
N/A
= Updates and Upgrades =
N/A
= Dependencies =
N/A
= External Impact =
N/A
--
Jan Cholasta
More information about the Freeipa-devel
mailing list