List the fingerprints of instances
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	Wikinaut
	Nov 2 2011, 11:31 PM

Description

Please list the fingerprint(s) of the server.

cd /etc/ssh
ssh-keygen -lf ssh_host_rsa-key.pub

or the like.

See http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/56378

Version: unspecified
Severity: normal

Details

Reference: bz32163

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:58 PM

• bzimport added a project: Wikimedia-Labs-General.

• bzimport set Reference to bz32163.

Wikinaut created this task.Nov 2 2011, 11:31 PM

The fingerprints of the instances are dynamic (would change on each recreation).
Extension:OpenStackManager can show them in the 'get output', but you can't view that page unless you are admin.

I'll try to think of some way of listing this info. There are definitely some dirty, hackish ways of doing this. I may just put a cron on one system that pulls the keys and adds them to the instance's wiki page.

I may also be able to do this via OpenStackManager, by adding a job to the job queue that tries to ssh to the host, pulling the key and then updating the wiki page with the fingerprint.

http://www.php.net/manual/en/function.ssh2-fingerprint.php

^^ that would do perfectly.

(In reply to comment #1)

The fingerprints of the instances are dynamic (would change on each
recreation).

I understand.

Perhaps a solution, and increasing security: each newly created instance must get a new name, or serial number, or hash ?

(In reply to comment #4)

(In reply to comment #1)

The fingerprints of the instances are dynamic (would change on each
recreation).

I understand.

Perhaps a solution, and increasing security: each newly created instance must
get a new name, or serial number, or hash ?

It does. Every new one has a unique instance name, and is a newly installed OS, so also has a new ssh key.

That is what *causes* the problem, though. It's not a solution. I listed a solution above.

Thehelpfulonewiki wrote:

Moving out of the Wikimedia product into the already existing Wikimedia Labs product, I'm going to remove the Labs component from the Wikimedia product.

damian wrote:

Now we have salt running on most the instances we could write a module for grabbing this data (possibly after the api is done).

I'd really like to push SSHFP records into DNS, apparently the current PDNS ldap schema can't handle that though :(

I'd like salt to fire an event when the instance is finished building. It could include the fingerprint along with the event message.

Is this really high priority (as it's been since November 2011), or shall this be decreased to low or normal priority?

No. Normal priority is fine.

Aklapper removed RyanLane as the assignee of this task.Apr 26 2015, 12:11 PM

Aklapper added a project: Cloud-Services.Apr 29 2015, 10:23 AM

Krenair renamed this task from Please list the fingerprint(s) of the server to List the fingerprints of instances.Oct 13 2015, 1:12 AM

Krenair edited projects, added MediaWiki-extensions-OpenStackManager; removed Cloud-Services, Wikimedia-Labs-General.

Krenair set Security to None.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2015, 1:12 AM

Krenair subscribed.Oct 13 2015, 1:12 AM

Better suited as a feature request upstream to Horizon (but unlikely to be implemented their either). We do have https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints for shared bastion host fingerprints.

List the fingerprints of instancesClosed, DeclinedPublicActions

Description

Details

Event Timeline

List the fingerprints of instances
Closed, DeclinedPublic
Actions