From eff48f1773ce0481d3f494bff5ad382755a7f500 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Mon, 18 May 2020 16:55:08 +0200 Subject: [PATCH] Changed approach for generating sshfp RR to lookup on python script --- helpers/ssh_dns_fingerprints.makefile | 4 ---- playbooks/dns.yml | 12 +----------- public_keys/ssh_dns_fp.py | 26 ++++++++++++++++++++++++++ roles/common/tasks/sshd.yml | 7 ------- 4 files changed, 27 insertions(+), 22 deletions(-) delete mode 100644 helpers/ssh_dns_fingerprints.makefile create mode 100755 public_keys/ssh_dns_fp.py diff --git a/helpers/ssh_dns_fingerprints.makefile b/helpers/ssh_dns_fingerprints.makefile deleted file mode 100644 index ea03db7..0000000 --- a/helpers/ssh_dns_fingerprints.makefile +++ /dev/null @@ -1,4 +0,0 @@ -FILES = $(shell ls | grep -vE "^dns$$") - -dns: $(FILES) - echo "$(FILES)" | xargs --max-args 1 ssh-keygen -r "$$(basename "$$(pwd)")." -f > "$@" diff --git a/playbooks/dns.yml b/playbooks/dns.yml index 264a06c..4817be4 100644 --- a/playbooks/dns.yml +++ b/playbooks/dns.yml @@ -6,16 +6,6 @@ hosts: nvak.banananet.work vars: nvak_dns_slaves: [] - pre_tasks: - - name: Load ssh host key dns fingerprint for host - command: cat "{{ global_ssh_host_key_directory | quote }}/{{ item | quote }}/dns" - delegate_to: localhost - register: ssh_key_dns_fpr_raw - changed_when: False - loop: "{{ groups['public_available'] }}" - - name: Remap ssh host key dns fingerprints - set_fact: - ssh_key_dns_fpr_map: "{{ ssh_key_dns_fpr_raw.results | items2dict(key_name='item', value_name='stdout') }}" roles: - role: dns/master domain: banananet.work @@ -31,7 +21,7 @@ {% for fqdn in groups['public_available'] %} {{ fqdn }}. IN A {{ hostvars[fqdn].ansible_default_ipv4.address }} {{ fqdn }}. IN AAAA {{ hostvars[fqdn].ansible_default_ipv6.address }} - {{ ssh_key_dns_fpr_map[fqdn] }} + {{ lookup('pipe', global_public_key_directory|quote + '/ssh_dns_fp.py --host ' + fqdn|quote) }} {% endfor %} ; Public use domains @ IN A {{ ansible_default_ipv4.address }} diff --git a/public_keys/ssh_dns_fp.py b/public_keys/ssh_dns_fp.py new file mode 100755 index 0000000..a05da1a --- /dev/null +++ b/public_keys/ssh_dns_fp.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 + +import argparse +from pathlib import Path +import subprocess +import sys + +def gen_sshfp_rr(keys_dir, host, domain): + key_dir = Path(keys_dir) / host + res = [] + for key in key_dir.iterdir(): + if key.name != "dns": + res.append(subprocess.check_output(["ssh-keygen", "-r", domain, "-f", str(key)]).decode('utf-8').strip()) + return '\n'.join(res) + +def main(): + ssh_hosts_keys = Path(sys.argv[0]).parent / "ssh/hosts" + parser = argparse.ArgumentParser() + parser.add_argument('--domain', default=None) + parser.add_argument('--host', required=True) + args = parser.parse_args() + args.domain = (args.domain or args.host) + "." + print(gen_sshfp_rr(ssh_hosts_keys, args.host, args.domain)) + +if __name__ == "__main__": + main() diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index 90d6bd8..d33a8a1 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -64,10 +64,3 @@ loop: "{{ ssh_host_keys.results }}" loop_control: label: "{{ item.item }}" - -- name: Generate ssh host key dns fingerprints locally - make: - chdir: "{{ global_ssh_host_key_directory }}/{{ inventory_hostname }}" - file: "{{ playbook_dir }}/helpers/ssh_dns_fingerprints.makefile" - target: dns - delegate_to: localhost