Ubuntu
cloud-init package

SSH keys summary does not report ECDSA key

Bug #892554 reported by Kees Cook
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Unassigned
cloud-init (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-12.04-beta-1

Bug Description

The final report of SSH key fingerprints does not include ECDSA:

$ ec2-get-console-output --region us-west-2 i-107ee921
...
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
f8:bf:48:3a:a8:93:e1:1e:52:6d:08:ff:0a:a2:2d:eb root@ip-10-252-13-148
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
|. |
| o o . |
| + o . S |
| ..o . |
|+..o.. o |
|+++o. .o o |
|+E=o ... o. |
+-----------------+
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
1d:a6:d9:89:6f:7b:0a:a1:45:78:d4:ee:a8:21:c0:5c root@ip-10-252-13-148
The key's randomart image is:
+--[ DSA 1024]----+
| .. |
| E o . |
| o . . o.o |
| + o B.o |
| . So+ |
| . .o.o. |
| ..o. o |
| . o .. |
| oo |
+-----------------+
Generating public/private ecdsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.
The key fingerprint is:
4c:9a:68:f2:33:50:f1:6f:81:bf:e3:f3:05:9d:23:70 root@ip-10-252-13-148
The key's randomart image is:
+--[ECDSA 256]---+
| . |
| o . |
| . o + E |
| . . B + . . |
| o o o S o + |
| = . . o . |
| + o . |
| o ... . |
| .o. |
+-----------------+
ec2:
ec2: #############################################################
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 2048 f8:bf:48:3a:a8:93:e1:1e:52:6d:08:ff:0a:a2:2d:eb /etc/ssh/ssh_host_rsa_key.pub (RSA)
ec2: 1024 1d:a6:d9:89:6f:7b:0a:a1:45:78:d4:ee:a8:21:c0:5c /etc/ssh/ssh_host_dsa_key.pub (DSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----
ec2: #############################################################

Additionally, it would be better to report the entire public key portion so that keys could be programmatically included by the users of the instance.

Revision history for this message
Scott Moser (smoser) wrote :

This was actually fix-committed in upstream cloud-init at revision 471.
http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/471

-ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
-ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
+for f in /etc/ssh/ssh_host_*key.pub; do
+ [ -f "$f" ] || continue
+ ssh-keygen -l -f "$f"
+done

Changed in cloud-init:
importance: Undecided → Medium
status: New → Fix Committed
Changed in cloud-init (Ubuntu):
importance: Undecided → Medium
milestone: none → ubuntu-12.04-beta-1
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 892554] Re: SSH keys summary does not report ECDSA key

What's the best way to add a known_hosts entry from these fingerprints?
Maybe the -e option should be used instead of -l ?

Revision history for this message
Scott Moser (smoser) wrote :

> What's the best way to add a known_hosts entry from these fingerprints?
> Maybe the -e option should be used instead of -l ?

I don't think there is enough information to create an ssh known_hosts
entry from the fingerprint. I've written a blog post at
http://ubuntu-smoser.blogspot.com/2010/07/verify-ssh-keys-on-ec2-instances.html
demonstrating how to check the host before connecting.

I think the original intent of this feature (before my time) was to serve
humans verifying the remote host, thus the fingerprint makes sense.

However, it seems that it would make sense to support outputting something
more machine consumable, which the 'ssh -e' would be better for.

I'm open to adding a cloud-config option for this. Care to open a bug?

Unfortunately, I don't think we can reasonably ditch the old default
behavior as many tools have been written to scrape console output looking
for this formated string.

Revision history for this message
Eric Hammond (esh) wrote :

Love the known_hosts suitable output format idea! It doesn't even need to be an option. Split that off into bug #893400.

The current ticket can remain for adding the ECDSA ssh key fingerprint.

Revision history for this message
Kees Cook (kees) wrote :

On Mon, Nov 21, 2011 at 07:44:13PM -0000, Scott Moser wrote:
> I don't think there is enough information to create an ssh known_hosts
> entry from the fingerprint. I've written a blog post at
> http://ubuntu-smoser.blogspot.com/2010/07/verify-ssh-keys-on-ec2-instances.html
> demonstrating how to check the host before connecting.

Ah, nice. This is a reasonable way to handle it for the moment.

> Unfortunately, I don't think we can reasonably ditch the old default
> behavior as many tools have been written to scrape console output looking
> for this formated string.

Right, I don't meant to ditch the fingerprint report, but instead, allow
one to skip the ssh-keyscan step, and just pull the .pub file directly out
of the console output. i.e. _add_ it to the console output.

--
Kees Cook

Scott Moser (smoser)
Changed in cloud-init (Ubuntu):
status: Triaged → Fix Released
Scott Moser (smoser)
Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/2223

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.