Bug#719442: sshfp: Add support for ECDSA

Sun, 11 Aug 2013 13:49:16 -0700 

Package: sshfp
Version: 1.2.2-4
Severity: wishlist
Tags: upstream patch

Dear Maintainer,

sshfp does not currently support ECDSA and upstream doesn't seem very
active.

A patch has been added to the devel branch a long time ago but no
release has been made (I've attached the patch, I didn't write it).

See:
https://github.com/xelerance/sshfp/compare/devel

I've tested it and it seems to be working ok and it's a ten line change.

Please consider adding it as a Debian patch given that the Debian
openssh server includes ECDSA support.

-- 
David Härdeman

--- sshfp	2013-03-07 17:16:00.000000000 +0100
+++ sshfp	2013-02-16 09:11:52.000000000 +0100
@@ -53,10 +53,9 @@
 
 	if keytype == "ssh-rsa":
 		keytype = "1"
-	elif  keytype == "ssh-dss":
+	else:
+		if keytype == "ssh-dss":
 		keytype = "2"
-	elif  keytype == "ecdsa-sha2-nistp256":
-		keytype = "3"
 	else:
 		return ""
 	try:
@@ -130,19 +129,19 @@
 		fingerprints.append(process_records(data, wantedHosts))
 	return "\n".join(fingerprints)
 
-def check_keytype(keytype):
+def check_keytype(keytype, hostname):
 	global algos
 	for algo in algos:
 		if "ssh-%s" % algo[:-1] == keytype[:-1]:
 			return True
-		if "ecdsa" == algo and "ecdsa-sha2-nistp256" == keytype:
-			return True
+	if not quiet:
+		print >> sys.stderr, "Could only find key type %s for %s" % (keytype, hostname)
 	return False
 
 def process_record(record, hostname):
 	(host, keytype, key) = record.split(" ")
 	key = key.rstrip()
-	if check_keytype(keytype):
+	if check_keytype(keytype, hostname):
 		record = create_sshfp(hostname, keytype, key)
 		return record
 	return ""
@@ -169,7 +168,7 @@
 		if "," in host:
 			host = host.split(",")[0]
 		if all_hosts or host in hostnames or host == hostnames:
-			if not check_keytype(keytype):
+			if not check_keytype(keytype, host):
 				continue
 			all_records.append(create_sshfp(host, keytype, key))
 	if all_records:
@@ -302,7 +301,7 @@
 			action="append",
 			type="choice",
 			dest="algo",
-			choices=["rsa", "dsa", "ecdsa"],
+			choices=["rsa", "dsa"],
 			default=[],
 			help="key type to fetch (may be specified more than once, default dsa,rsa)")
 	parser.add_option("-n", "--nameserver",
@@ -323,7 +322,7 @@
 	data = ""
 	trailing = options.trailing_dot
 	timeout = options.timeout
-	algos = options.algo or ["dsa", "rsa", "ecdsa"]
+	algos = options.algo or ["dsa", "rsa"]
 	all_hosts = options.all_hosts
 	port = options.port
 	hostnames = ()
@@ -340,7 +339,7 @@
 		sys.exit(1)
 	if not options.scan and options.all_hosts and args:
 		print >> sys.stderr, "WARNING: -a and hosts both passed, ignoring manual host list"
-	if not args and (not all_hosts):
+	if not args:
 		print >> sys.stderr, "WARNING: Assuming -a"
 		all_hosts = True

Reply via email to