xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Opened 3 years ago

Closed 3 years ago

Last modified 17 months ago

#2097 closed enhancement (worksforme)

SSHFP with paramiko

Reported by: elenril Owned by: elenril
Priority: minor Milestone: 2.5
Component: client Version: 2.4.x
Keywords: Cc:


One feature that I've been using with openssh, but is missing from the new paramiko code, is checking SSHFP DNS records.

Some background: SSHFP records are used to publish a host key fingerprints in DNS, then (assuming the domain is DNSSEC-secured and the client has a validating resolver) the client can verify the host keys through DNS rather than the classic trust-on-first-use method. In openssh, this is enabled by the VerifyHostKeyDNS yes option in ssh_config. Since I have many hosts which connect to each other, I think this scales better than the classic known_hosts approach.

Now, paramiko does not support SSHFP natively, but it can be implemented by the caller through a custom missing host key policy. I'm attaching code for this policy I use in another codebase, though I am not sure whether it belongs in xpra or should be added to paramiko itself, or implemented in some other manner. Thoughts?

Attachments (1)

_sshfp_policy.py (1.8 KB) - added by elenril 3 years ago.

Download all attachments as: .zip

Change History (7)

Changed 3 years ago by elenril

Attachment: _sshfp_policy.py added

comment:1 Changed 3 years ago by Antoine Martin

Status: newassigned

I think the policy itself could be merged by paramiko, if they decide to do so. If anything, their review of the code would be useful to have.

The actual code changes in xpra would be minimal.
I'll try to take a look when I get a chance, but feel free to beat me to it.

comment:2 Changed 3 years ago by Antoine Martin

Owner: changed from Antoine Martin to elenril
Status: assignednew

Try r21287 and let me know how it goes.

I take back what I had said regarding merging this upstream: it's easier to have it separate so that the messages we get from the SSHFP DNS check can be integrated into the other dialogs / console messages.

comment:3 Changed 3 years ago by Antoine Martin

Resolution: worksforme
Status: newclosed

Not heard back, closing - works for me.

comment:4 Changed 3 years ago by Antoine Martin

Added python-dns to rpm and deb dependencies in r22531.

comment:5 Changed 2 years ago by Antoine Martin

See also #2567.

comment:6 Changed 17 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2097

Note: See TracTickets for help on using tickets.