Last active
June 19, 2019 04:14
-
-
Save asifbacchus/9fd63abd6328c309d0981910b042d50e to your computer and use it in GitHub Desktop.
Query local or remote SSH server for fingerprint and generate SSHFP DNS records
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # | |
| # Scan specified server and output BIND9 formatted SSHFP DNS records | |
| # for all supported algorithms (RSA, DSA, ECDSA, ED25519) with both | |
| # SHA-1 and SHA-2 hashes | |
| # | |
| ### text formatting codes | |
| bold=$(tput bold) | |
| cyan=$(tput bold)$(tput setaf 6) | |
| err=$(tput bold)$(tput setaf 1) | |
| magenta=$(tput bold)$(tput setaf 5) | |
| norm=$(tput sgr0) | |
| yellow=$(tput bold)$(tput setaf 3) | |
| # trap | |
| trap cleanup 1 2 3 6 | |
| ### functions | |
| # cleanup | |
| cleanup () { | |
| rm -f "${TMPFILE}" | |
| printf "\n${yellow}...Exiting now${norm}\n\n" | |
| } | |
| # script help | |
| scriptHelp () { | |
| printf "\n" | |
| fmt --width="$( tput cols )" << ENDTEXT | |
| This script scans a target system (or local system) and gets the SSH fingerprints of that system based on the 'host key' certificates it presents. It then formats those fingerprints into SSHFP records you can add to your DNS server so that clients can automatically check and confirm those fingerprints | |
| ENDTEXT | |
| printf "\n${cyan}Usage: ${norm}${bold}%s ${yellow}[options]${norm}\n" "$0" | |
| printf "\n${cyan}Options:${norm}\n" | |
| printf "With no options, script will query ${magenta}%s${norm} on " \ | |
| "$( uname -n )" | |
| printf "SSH default ${magenta}port 22${norm}.\n\n" | |
| printf "${yellow}-h, --host, --hostname, -a, --address${norm}\n" | |
| printf "hostname or IP address of remote machine you want to scan\n\n" | |
| printf "${yellow}-p, --port${norm}\n" | |
| printf "port on which to connect during scanning - useful if SSH is\n" | |
| printf "listening on a non-standard port\n\n" | |
| printf "${yellow}-?, --help${norm}\n" | |
| printf "display this help screen\n\n" | |
| } | |
| ### end of functions | |
| ### default variables | |
| protocols="rsa | |
| dsa | |
| ecdsa | |
| ed25519" | |
| port=22 | |
| hostname="$( uname -n )" | |
| TMPFILE="$( mktemp )" | |
| ### process start up parameters | |
| while [ $# -gt 0 ]; do | |
| case "$1" in | |
| -/?|--help) | |
| # display help | |
| scriptHelp | |
| exit 0 | |
| ;; | |
| -h|--host|--hostname|-a|--address) | |
| # remote machine to scan | |
| hostname="$2" | |
| shift | |
| ;; | |
| -p|--port) | |
| # scan on specified port | |
| port="$2" | |
| shift | |
| ;; | |
| *) | |
| # invalid entry | |
| printf "${err}\nUnknown option: %s\n" "$1" | |
| printf "${cyan}Use '--help' for valid options.${norm}\n\n" | |
| exit 1 | |
| ;; | |
| esac | |
| shift | |
| done | |
| ### iterate over protocols and display SSHFP records | |
| printf "\nScanning ${cyan}%s${norm}:\n" "$hostname" | |
| while read -r proto; do | |
| ssh-keyscan -t "$proto" -p "$port" "$hostname" > "$TMPFILE" 2>/dev/null | |
| [ ! -s "$TMPFILE" ] && continue | |
| sed -ri 's/^[^ ]+ //' "$TMPFILE" | |
| sshfp="$( ssh-keygen -r "$hostname" -f "$TMPFILE" )" | |
| printf "\n${bold}%s\n${norm}" "$sshfp" | |
| done <<EOF | |
| $protocols | |
| EOF | |
| ### explanatory text | |
| printf "\n${cyan}Reference:\n${norm}" | |
| printf "First number is the ${magenta}algorithm type${norm}:\n" | |
| printf "\t1\tRSA\n" | |
| printf "\t2\tDSA\n" | |
| printf "\t3\tECDSA\n" | |
| printf "\t4\tED25519\n" | |
| printf "\nSecond number is the ${magenta}hash type${norm}:\n" | |
| printf "\t1\tSHA-1\n" | |
| printf "\t2\tSHA-2\n" | |
| printf "\n${magenta}Note: Best practices are using using either RSA or ED25519 " | |
| printf "and SHA-2 only!${norm}\n" | |
| ### cleanup and exit | |
| cleanup | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment