From: Tom Hughes <tom@compton.nu>
Date: Mon, 27 Sep 2021 14:31:49 +0000 (+0100)
Subject: Generate SSHFP records for algorithms 3 and 4
X-Git-Url: https://git.openstreetmap.org./dns.git/commitdiff_plain/5d2ced755fa99df6ba5595bea541a0c2e29643bc?ds=sidebyside

Generate SSHFP records for algorithms 3 and 4

The idea of choosing one was to minimise the number of records
by choosing the one the client would favour but recent ssh clients
have changed the default preference so we need both.
---

diff --git a/bin/mksshfp b/bin/mksshfp
index 0e0027c..f3b6d1a 100755
--- a/bin/mksshfp
+++ b/bin/mksshfp
@@ -6,13 +6,6 @@ use warnings;
 use Digest::SHA qw(sha256_hex);
 use MIME::Base64;
 
-my %algorithms = (
-    "ssh-rsa" => "1",
-    "ssh-dss" => "2",
-    "ecdsa-sha2-nistp256" => "3",
-    "ssh-ed25519" => "4"
-);
-
 my %hosts;
 
 if (-f "/etc/ssh/ssh_known_hosts")
@@ -21,42 +14,21 @@ if (-f "/etc/ssh/ssh_known_hosts")
 
     while (my $line = <HOSTS>)
     {
+        last if $line =~ /^# Manually maintained records$/;
+
         if ($line =~ /^([^, ]+)\S* (\S+) (\S+)$/)
         {
             my $host = $1;
-            my $algorithm = $algorithms{$2};
+            my $algorithm = $2;
             my $value = uc(sha256_hex(decode_base64($3)));
 
             $host =~ s/\.openstreetmap\.org$//;
-        
+
             if ($algorithm ne "2")
             {
-                my $wanted = 0;
-
-                if (exists($hosts{$host}))
-                {
-                    if ($algorithm eq "3")
-                    {
-                        $wanted = 1;
-                    }
-                    elsif ($algorithm eq "4" && $hosts{$host}->{algorithm} ne "3")
-                    {
-                        $wanted = 1;
-                    }
-                }
-                else
-                {
-                    $wanted = 1;
-                }
-
-                if ($wanted)
-                {
-                    $hosts{$host} = {
-                        algorithm => $algorithm,
-                        type => "2",
-                        value => $value
-                    };
-                }
+                $hosts{$host} ||= {};
+
+                $hosts{$host}->{$algorithm} = $value;
             }
         }
     }
@@ -70,11 +42,22 @@ print SSHFP_JS qq|var SSHFP_RECORDS = [\n|;
 
 foreach my $host (sort keys %hosts)
 {
-    my $algorithm = $hosts{$host}->{algorithm};
-    my $type = $hosts{$host}->{type};
-    my $value = $hosts{$host}->{value};
+    if ($hosts{$host}->{"ecdsa-sha2-nistp256"} || $hosts{$host}->{"ssh-ed25519"})
+    {
+        if ($hosts{$host}->{"ecdsa-sha2-nistp256"})
+        {
+            print SSHFP_JS sshfp_record($host, "3", $hosts{$host}->{"ecdsa-sha2-nistp256"});
+        }
 
-    print SSHFP_JS qq|  SSHFP("${host}", ${algorithm}, ${type}, "${value}"),\n|;
+        if ($hosts{$host}->{"ssh-ed25519"})
+        {
+            print SSHFP_JS sshfp_record($host, "4", $hosts{$host}->{"ssh-ed25519"});
+        }
+    }
+    elsif ($hosts{$host}->{"ssh-rsa"})
+    {
+        print SSHFP_JS sshfp_record($host, "1", $hosts{$host}->{"ssh-rsa"});
+    }
 }
 
 print SSHFP_JS qq|];\n|;
@@ -82,3 +65,12 @@ print SSHFP_JS qq|];\n|;
 close(SSHFP_JS);
 
 exit 0;
+
+sub sshfp_record
+{
+    my $host = shift;
+    my $algorithm = shift;
+    my $value = shift;
+
+    return qq|  SSHFP("${host}", ${algorithm}, 2, "${value}"),\n|;
+}