Add support for newer FreeIPA SHA256 SSH public key hashes (#40803)

* lib/ansible/modules/identity/ipa/ipa_user.py: - Check any existing `ipa_user` SSH public key fingerprints for the hash algorithm to use - Generate `module_user` SSH public key fingerprint based on detected or default algorithm
6 years ago · 93fd323457
parent 2bd8e47247
commit 93fd323457
1 changed files with 17 additions and 5 deletions
--- a/lib/ansible/modules/identity/ipa/ipa_user.py
+++ b/lib/ansible/modules/identity/ipa/ipa_user.py
@ -194,7 +194,10 @@ def get_user_diff(client, ipa_user, module_user):
    # These are used for comparison.
    sshpubkey = None
    if 'ipasshpubkey' in module_user:
-        module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey) for pubkey in module_user['ipasshpubkey']]
+        hash_algo = 'md5'
+        if 'sshpubkeyfp' in ipa_user and ipa_user['sshpubkeyfp'][0][:7].upper() == 'SHA256:':
+            hash_algo = 'sha256'
+        module_user['sshpubkeyfp'] = [get_ssh_key_fingerprint(pubkey, hash_algo) for pubkey in module_user['ipasshpubkey']]
        # Remove the ipasshpubkey element as it is not returned from IPA but save it's value to be used later on
        sshpubkey = module_user['ipasshpubkey']
        del module_user['ipasshpubkey']
@ -208,11 +211,16 @@ def get_user_diff(client, ipa_user, module_user):
    return result


-def get_ssh_key_fingerprint(ssh_key):
+def get_ssh_key_fingerprint(ssh_key, hash_algo='sha256'):
    """
    Return the public key fingerprint of a given public SSH key
-    in format "FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7 [user@host] (ssh-rsa)"
+    in format "[fp] [user@host] (ssh-rsa)" where fp is of the format:
+    FB:0C:AC:0A:07:94:5B:CE:75:6E:63:32:13:AD:AD:D7
+    for md5 or
+    SHA256:[base64]
+    for sha256
    :param ssh_key:
+    :param hash_algo:
    :return:
    """
    parts = ssh_key.strip().split()
@ -221,8 +229,12 @@ def get_ssh_key_fingerprint(ssh_key):
    key_type = parts[0]
    key = base64.b64decode(parts[1].encode('ascii'))

-    fp_plain = hashlib.md5(key).hexdigest()
-    key_fp = ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper()
+    if hash_algo == 'md5':
+        fp_plain = hashlib.md5(key).hexdigest()
+        key_fp = ':'.join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])).upper()
+    elif hash_algo == 'sha256':
+        fp_plain = base64.b64encode(hashlib.sha256(key).digest()).decode('ascii').rstrip('=')
+        key_fp = 'SHA256:{fp}'.format(fp=fp_plain)
    if len(parts) < 3:
        return "%s (%s)" % (key_fp, key_type)
    else: