Page MenuHomeVyOS Platform
Create Task
Maniphest T5653

Command to display fingerprint
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

The first time connecting to a VyOS router with SSH it asks the user to verify the fingerprint.

The following command displays the available public keys one page at a time.

for PUBKEY in /etc/ssh/*.pub; do ssh-keygen -l -v -E sha256 -f ${PUBKEY}; done | more

This would make a great op-mode command such as 'show ssh fingerprints'

VyOS could also hint the user that these keys are stored in /etc/ssh as per a regular linux system and that commands like cd/ls/ssh-keygen can be used.

See Forum for background

https://forum.vyos.io/t/how-to-verify-ssh-fingerprint-of-a-vyos-router/12277

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Related Objects

Event Timeline

fsbof created this task.Oct 13 2023, 1:31 AM
JeffWDH added a subscriber: JeffWDH.Oct 13 2023, 1:54 PM
pasik added a subscriber: pasik.Oct 13 2023, 4:22 PM
JeffWDH added a comment.Oct 13 2023, 5:10 PM

https://github.com/vyos/vyos-1x/pull/2363

$ show ssh fingerprints
SSH server public key fingerprints:

1024 SHA256:EyT+ladQR7yL2uzCi9p7U3CjMmSrL+vpv7bVew3ie0I root@vyos (DSA)
+---[DSA 1024]----+
|      . . .oo    |
|     . o . o.    |
|      . o o ..   |
|      o..+oo.    |
|     o .S+.o .   |
|      + .oE o    |
|     . +.B.. o   |
|    oo.o* =.o .  |
|   o*BO=.=+=     |
+----[SHA256]-----+

256 SHA256:6hgo7Uhxo6UORWnvhKo9n+0V0ssMTfK96V8dd2dVJV0 root@debian (ECDSA)
+---[ECDSA 256]---+
|              ..E|
|   .           .o|
|  +   . .       .|
| o o   * .      .|
| .o+o o S .    .=|
| +*+.  * o o   o=|
|++o o . = o   . .|
|==.  * . .   .   |
|o.oo+.+   ...    |
+----[SHA256]-----+

3072 SHA256:Dy9PXHuLIy1TB7EnlzorU3Cq3YSNiBja8ICRTMghwxU root@debian (RSA)
+---[RSA 3072]----+
|O+oE.            |
|==          .    |
| o           o . |
|. o .     . = +  |
|   * o .S. B.*   |
|  . + . .=+.B..  |
|        .o=*.+.  |
|        .+B =o . |
|          .*...  |
+----[SHA256]-----+

256 SHA256:FpsnnJeuqlacYHwC7uz2rVxipG3znDn+Wu1xh7dxQx8 root@debian (ED25519)
+--[ED25519 256]--+
|                 |
|  .              |
| . o    .        |
|  . = .. = .     |
| o ..= .S +    E |
|  o+  +. *   .. o|
| .. *.. . + o +.o|
|  o+.B.+ o o o +.|
| . o=+X=o .   .  |
+----[SHA256]-----+
c-po added a subscriber: c-po.Oct 14 2023, 6:58 AM

I wonder if we need the ASCII art though or not the plain fingerprints only (first line of the command)

c-po changed the task status from Open to In progress.Oct 14 2023, 6:58 AM
c-po assigned this task to fsbof.
Apachez added a subscriber: Apachez.Oct 14 2023, 7:52 AM

I think it should be included, its often used during generation in Debian among other distros.

One way to enhance it if the default would be to not show it would be to have it as available as a suboption, something like:

show ssh fingerprints
show ssh fingerprints <specific fingerprint>
show ssh fingerprints ascii
show ssh fingerprints ascii <specific fingerprint>

Specific fingerprint in this case is tha nem of the fingerprint such as this compared to previous example:

show ssh fingerprints root@debian
fsbof added a comment.EditedOct 14 2023, 10:35 AM

Wow - you guys work quickly! ๐Ÿ‘

My very humble opinion would be that the basic version of this command should consider a first time user and that it should provide all the information that could be needed to connect so the user doesn't have to look further. If this is multiple fingerprints in multiple formats and they have to read, then so be it. I like the idea from @Apachez that this command also provides a meaningful 'hint' to the underlying source that aids learning.

Additional sub-commands are awesome and should target users who know what they are looking for. and want a filtered view.

Of course there is always a RTFM point of view (I was really impressed with the docs) so that would cover all bases.

JeffWDH added a comment.Oct 14 2023, 12:18 PM

I've updated this to default to no ASCII art as I think it's cleaner, but added an option to show it if you want to see it:

admin@vyos:~$ show ssh ?
Possible completions:
  fingerprints          Show SSH server public key fingerprints


admin@vyos:~$ show ssh fingerprints ?
Possible completions:
  <Enter>               Execute the current command
  ascii                 Show visual ASCII art representation of the public key


admin@vyos:~$ show ssh fingerprints
<output without ascii>

admin@vyos:~$ show ssh fingerprints ascii
<output with ascii>

As for breaking it down to be able to see specific fingerprints, I'm not sure if it's worth the effort as this is only showing the server public keys, not users. There should only be a few on any specific instance of Vyos.

On a side note, I'm new to contributing to Vyos (and open source in general). The getting started documentation is pretty decent and I didn't have too many hurdles after figuring out that vyos-1x gets built as a package. I appreciate the patience I've received with this and the other PR I did recently.

fsbof added a comment.Oct 14 2023, 1:05 PM

@JeffWDH I am happy to download, build and test when you're ready if you point me to the right version(s)/location(s). I'm also very new to this but I managed to Build Equuleus in a docker container which has been working ok. Appreciate your efforts.

JeffWDH mentioned this in T5661: Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection.Oct 16 2023, 8:05 PM
JeffWDH added a comment.Oct 16 2023, 8:07 PM

@fsbof This change was accepted so it should end up in the 1.5 rolling soon. I suspect backporting to 1.4 wouldn't be an issue but that is a question for a more senior dev. But as for 1.3, I am unsure as I have never ran that version and don't know if there are any changes between those releases that would make it a pain to backport.

JeffWDH added a comment.Oct 28 2023, 1:49 PM

This functionality has also been backported to 1.4 so it will be in the next LTS release.

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.Dec 10 2023, 12:12 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus.Dec 17 2023, 11:33 PM
c-po closed this task as Resolved.Dec 30 2023, 11:53 AM
c-po removed a project: VyOS 1.3 Equuleus (1.3.6).
c-po added a comment.Dec 30 2023, 12:02 PM

Removing 1.3 backport as it's not trivial. Implementation depends on python3-pyhump (not available and must be self build) and also on vyos.opmode framework which does not exist for 1.3 equuleus