Bug#738494: hash-slinger: sshfp doesn't support ECDSA host keys or SHA-2 fingerprints (RFC6594)

[Gerald Turner]

Package: hash-slinger
Version: 2.5-1
Severity: wishlist

Dear Maintainer,

I got scanning to work, but it only supports the original RFC4255 spec
(RSA/DSS host keys and SHA-1 fingerprint).  It would be nice to see
RFC6594 support (ECDSA host keys and SHA-256 fingerprint).

Scanning output:

$ sshfp -s shoggoth.unzane.com
WARNING: Ignoring -k option, -s was passwd
# shoggoth.unzane.com SSH-2.0-OpenSSH_6.0p1
no hostkey alg
# shoggoth.unzane.com SSH-2.0-OpenSSH_6.0p1

shoggoth.unzane.com IN SSHFP 1 1 B4764630D756121FA89ED77AC7839D52BB0A286D

Records actually in use:

$ dig +short shoggoth.unzane.com sshfp
3 1 5096C6AF697F88370307969072EC4F7AD1D11EB9
3 2 9B153FCD1938A2C67FF8B0A5C99B8B6895C457025E23BE9A454B9F2E 953CA3A6
1 1 B4764630D756121FA89ED77AC7839D52BB0A286D
1 2 8D633E9CD3A54F2397B5D404E33A98230C2A740BD1D32DC4BD1E0AE8 52C4F836

The option to parse a known_hosts file fails when it encounters
ecdsa-sha2-nistp521 type entries:

$ sshfp -k ~/.ssh/known_hosts -a
Traceback (most recent call last):
  File "/usr/bin/sshfp", line 374, in <module>
    main()
  File "/usr/bin/sshfp", line 359, in main
    data = sshfp_from_file(khfile, args)
  File "/usr/bin/sshfp", line 127, in sshfp_from_file
    fingerprints.append(process_records(data, wantedHosts))
  File "/usr/bin/sshfp", line 169, in process_records
    if not check_keytype(keytype):
  File "/usr/bin/sshfp", line 136, in check_keytype
    print >> sys.stderr, "Could only find key type %s for %s" % (keytype, 
hostname)
NameError: global name 'hostname' is not defined

And how about those Ed25519 host keys introduced in OpenSSH 6.5 ;-)

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages hash-slinger depends on:
ii  libpython2.7-stdlib [python-argparse]  2.7.6-5
ii  openssh-client                         1:6.4p1-2
ii  python                                 2.7.5-5
ii  python-dnspython                       1.11.1-1
ii  python-gnupg                           0.3.5-2
ii  python-ipaddr                          2.1.10-1
ii  python-m2crypto                        0.21.1-3
ii  python-unbound                         1.4.21-1

hash-slinger recommends no packages.

hash-slinger suggests no packages.

-- no debconf information

-- 
Gerald Turner                                Encrypted mail preferred!
0xEC942276FDB8716D  CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

pgprXMobpIZkV.pgp
Description: PGP signature