Bug 813398
Summary: | [RFE] Add support for enhanced SSHFP DNS records per RFC 6594 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | jgalipea, mkosek, nsoman, perobins, pspacek |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.2.1-1.el7 | Doc Type: | Enhancement |
Doc Text: |
Feature:
DNS support in Identity Management was extended with support for RFC 6954. This allows users to publish ECDSA keys and SHA-256 hashes in SSHFP records.
Reason:
Users were not able to add ECDSA keys and SHA-256 hashes to DNS.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 13:14:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2012-04-17 16:16:20 UTC
fixed upstream master: 86dde3a38e801bb88a7d573a2a37ce7201e29e0f Verified using ipa-server-3.3.3-11.el7.x86_64 Test automation results: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_ssh_bug_0004: bz813398 : Add Host with RSA key and verify keys :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ------------------------------- Added host "host1.testrelm.com" ------------------------------- Host name: host1.testrelm.com Principal name: host/host1.testrelm.com SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWs0agkG3B27cy7E2YkuaYW1LLwMNbKz5XTrDO15gn3aoxdrQuod8IJLsh/IONBI15VhBCtVXOB+ULujH6xUrTS7ZOT7au63YsC2BFS7cyUQ43TTocGEbUIeMf0bxBE/8Y3L2AO+kXxknDS1kE2O3T3A1WlXpZZy47sggrNbZGj18P8m0lYqUE1MjLjlFpSoZMMOEycFm8yCOHahDWvJ7YpnAINJgbT/noDpCH7EyJOCRohsX+pE3VHyLfSZUVO45bKSjMDYoxDaSX+Bo89AnhJObyGhsOjGiRQacaDrtUYF7cvycNfmxWu1J//YeaXJekQzbA6ukoPFiEpTCbW1od Password: False Keytab: False Managed by: host1.testrelm.com SSH public key fingerprint: 24:FD:21:D3:EC:B1:2C:05:76:BE:7C:27:4D:66:F7:BA (ssh-rsa) host1.testrelm.com IN SSHFP 1 1 421864c448dba2d87ef59bbd84899ec04846141d host1.testrelm.com IN SSHFP 1 2 ea3e24f1ac847206ccff605d15e2dba7b799f89e7417027082aeac2af3e77480 :: [ 15:31:20 ] :: Confirm Host entry has RSA Key FingerPrint listed sshpubkeyfp: 24:FD:21:D3:EC:B1:2C:05:76:BE:7C:27:4D:66:F7:BA (ssh-rsa) :: [ PASS ] :: File '/tmp/tmpout.ipa_ssh_rfe_bz813398' should contain '24:fd:21:d3:ec:b1:2c:05:76:be:7c:27:4d:66:f7:ba' idnsname: host1 arecord: 2.2.2.1 sshfprecord: 1 1 421864C448DBA2D87EF59BBD84899EC04846141D sshfprecord: 1 2 EA3E24F1AC847206CCFF605D15E2DBA7B799F89E7417027082AEAC2AF3E77480 1 2 EA3E24F1AC847206CCFF605D15E2DBA7B799F89E7417027082AEAC2A F3E77480 1 1 421864C448DBA2D87EF59BBD84899EC04846141D :: [ 15:31:21 ] :: ipa dnsrecord-show for host1 has RSA key with SHA1 fingerprint: 421864c448dba2d87ef59bbd84899ec04846141d :: [ 15:31:21 ] :: ssh-keygen has RSA key with SHA1 fingerprint: 421864c448dba2d87ef59bbd84899ec04846141d :: [ 15:31:21 ] :: dig for host1 has for SHA1: 421864c448dba2d87ef59bbd84899ec04846141d :: [ 15:31:21 ] :: ipa dnsrecord-show for host1 has RSA key with SHA256 fingerprint: ea3e24f1ac847206ccff605d15e2dba7b799f89e7417027082aeac2af3e77480 :: [ 15:31:21 ] :: ssh-keygen has RSA key with SHA256 fingerprint: ea3e24f1ac847206ccff605d15e2dba7b799f89e7417027082aeac2af3e77480 :: [ 15:31:21 ] :: dig for host1 has for SHA256: ea3e24f1ac847206ccff605d15e2dba7b799f89e7417027082aeac2af3e77480 :: [ PASS ] :: RSA key with SHA1 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: RSA key with SHA256 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: RSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: RSA key with SHA256 fingerprint: ipa dns and dig match :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_ssh_bug_0005: bz813398 : Add Host with DSA key and verify keys :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ------------------------------- Added host "host2.testrelm.com" ------------------------------- Host name: host2.testrelm.com Principal name: host/host2.testrelm.com SSH public key: ssh-dss AAAAB3NzaC1kc3MAAACBAONgIsfsVd7pVWBtN7tCh6Qh+SZQ8FD8a+1FQ+SqTSWEIUtfGKGAn6f7uEvUmoA/XUfQnFmUgDMAZolzxCb4heWzlCOZCkS48QsQOKLGkvMMS/cTHf8tOAAwlhez29b/UqosOP13a/hNQI1M606rwxNYfchiZnQ7DuqjTYp4FsDRAAAAFQD8N5IE36Aq3HOJzI/A82LfPKNyAwAAAIEAuCeF9dYflsYYbd1w6aB03LvNEeVmLpux72LHLPTZjupYyr9yPSsePpkI2MabhKnNLcL76TmBc4LHBdU6KG5/A+3MfRNGidjf0ytklboUQZh3e2ZWPHGOaXuhL7die0mPQaAAPoolBokqrBDpU9EvrXCUkpmMknMvZMCB9OpC5SgAAACATw5SwACHjJSGmUNHIXxIgXsIBRQKYX2jk2Dr7g2OEDlZ3+R1dOzYunFeeU3kmLwv2qCbs3cwvak14r5WFLFq3h0sMJK0RLdmfScouo0+3/pzNEnkTml6YfobbKD1yeYmvBjkb3L6hFSWcrAmao7h+LiLbwyumBal6bGt1mmaEAI= Password: False Keytab: False Managed by: host2.testrelm.com SSH public key fingerprint: 0E:7A:CC:5C:D9:0F:5C:45:41:17:75:A9:4B:39:61:7C (ssh-dss) host2.testrelm.com IN SSHFP 2 1 8d58324863dacbc8aceebb4cb5828796f8f9d738 host2.testrelm.com IN SSHFP 2 2 206dcfdc27bbb129057ad8b039554360ddd7230fd45140c442eecc6bd6d91aed :: [ 15:31:23 ] :: Confirm Host entry has DSA Key FingerPrint listed sshpubkeyfp: 0E:7A:CC:5C:D9:0F:5C:45:41:17:75:A9:4B:39:61:7C (ssh-dss) :: [ PASS ] :: File '/tmp/tmpout.ipa_ssh_rfe_bz813398' should contain '0e:7a:cc:5c:d9:0f:5c:45:41:17:75:a9:4b:39:61:7c' idnsname: host2 arecord: 2.2.2.2 sshfprecord: 2 2 206DCFDC27BBB129057AD8B039554360DDD7230FD45140C442EECC6BD6D91AED sshfprecord: 2 1 8D58324863DACBC8ACEEBB4CB5828796F8F9D738 2 2 206DCFDC27BBB129057AD8B039554360DDD7230FD45140C442EECC6B D6D91AED 2 1 8D58324863DACBC8ACEEBB4CB5828796F8F9D738 :: [ 15:31:25 ] :: ipa dnsrecord-show for host2 has DSA key with SHA1 fingerprint: 8d58324863dacbc8aceebb4cb5828796f8f9d738 :: [ 15:31:25 ] :: ssh-keygen has DSA key with SHA1 fingerprint: 8d58324863dacbc8aceebb4cb5828796f8f9d738 :: [ 15:31:25 ] :: dig for host2 has for SHA1: 8d58324863dacbc8aceebb4cb5828796f8f9d738 :: [ 15:31:25 ] :: ipa dnsrecord-show for host2 has DSA key with SHA256 fingerprint: 206dcfdc27bbb129057ad8b039554360ddd7230fd45140c442eecc6bd6d91aed :: [ 15:31:25 ] :: ssh-keygen has DSA key with SHA256 fingerprint: 206dcfdc27bbb129057ad8b039554360ddd7230fd45140c442eecc6bd6d91aed :: [ 15:31:25 ] :: dig for host2 has for SHA256: 206dcfdc27bbb129057ad8b039554360ddd7230fd45140c442eecc6bd6d91aed :: [ PASS ] :: DSA key with SHA1 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: DSA key with SHA256 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: DSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: DSA key with SHA256 fingerprint: ipa dns and dig match --------------------------------- Deleted host "host2.testrelm.com" --------------------------------- :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_ssh_bug_0006: bz813398 : Add Host with ECDSA key and verify keys :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ------------------------------- Added host "host3.testrelm.com" ------------------------------- Host name: host3.testrelm.com Principal name: host/host3.testrelm.com SSH public key: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI6vGY/PUEnf1h515wjdLPmtvzOmrAViRePYAkTm27RggFFdz3VXguro0a3Gxk1WgFMjpRCUbf4NTANIJDUoeKs= Password: False Keytab: False Managed by: host3.testrelm.com SSH public key fingerprint: 61:AF:66:D1:F4:4F:BD:03:3C:3F:71:26:C1:5F:99:35 (ecdsa-sha2-nistp256) host3.testrelm.com IN SSHFP 3 1 1bbfc98fe1bdc4fa200713d484fcf343f19c8bd6 host3.testrelm.com IN SSHFP 3 2 a62bd5c80bb4f3b3ecc3ca0750ee0de0e919c400c15817ed674cda8d1fa0779c idnsname: host3 arecord: 2.2.2.3 sshfprecord: 3 1 1BBFC98FE1BDC4FA200713D484FCF343F19C8BD6 sshfprecord: 3 2 A62BD5C80BB4F3B3ECC3CA0750EE0DE0E919C400C15817ED674CDA8D1FA0779C 3 2 A62BD5C80BB4F3B3ECC3CA0750EE0DE0E919C400C15817ED674CDA8D 1FA0779C 3 1 1BBFC98FE1BDC4FA200713D484FCF343F19C8BD6 :: [ 15:31:28 ] :: Confirm Host entry has ECDSA Key FingerPrint listed sshpubkeyfp: 61:AF:66:D1:F4:4F:BD:03:3C:3F:71:26:C1:5F:99:35 (ecdsa-sha2-nistp256) :: [ PASS ] :: File '/tmp/tmpout.ipa_ssh_rfe_bz813398' should contain '61:af:66:d1:f4:4f:bd:03:3c:3f:71:26:c1:5f:99:35' :: [ 15:31:29 ] :: ipa dnsrecord-show for host3 has ECDSA key with SHA1 fingerprint: 1bbfc98fe1bdc4fa200713d484fcf343f19c8bd6 :: [ 15:31:29 ] :: ssh-keygen has ECDSA key with SHA1 fingerprint: 1bbfc98fe1bdc4fa200713d484fcf343f19c8bd6 :: [ 15:31:29 ] :: dig for host3 has for SHA1: 1bbfc98fe1bdc4fa200713d484fcf343f19c8bd6 :: [ 15:31:29 ] :: ipa dnsrecord-show for host3 has ECDSA key with SHA256 fingerprint: a62bd5c80bb4f3b3ecc3ca0750ee0de0e919c400c15817ed674cda8d1fa0779c :: [ 15:31:29 ] :: ssh-keygen has ECDSA key with SHA256 fingerprint: a62bd5c80bb4f3b3ecc3ca0750ee0de0e919c400c15817ed674cda8d1fa0779c :: [ 15:31:29 ] :: dig for host3 has for SHA256: a62bd5c80bb4f3b3ecc3ca0750ee0de0e919c400c15817ed674cda8d1fa0779c :: [ PASS ] :: ECDSA key with SHA1 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: ECDSA key with SHA256 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: ECDSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: ECDSA key with SHA256 fingerprint: ipa dns and dig match --------------------------------- Deleted host "host3.testrelm.com" --------------------------------- :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_ssh_bug_0007: bz813398 : Modify Host key and verify dig picked up changes :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ---------------------------------- Modified host "host1.testrelm.com" ---------------------------------- Host name: host1.testrelm.com Principal name: host/host1.testrelm.com SSH public key: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIfYLyw8LqqfLjwvhUTKWXwhXl5aOBmTaIo538vcidBgWm6/olK814eF9iitn4DvJxzzzezbVqistuSUlyMSV+4= Password: False Keytab: False Managed by: host1.testrelm.com SSH public key fingerprint: F8:A5:85:DB:F5:F3:40:3C:43:DF:F8:83:1D:BB:20:B0 (ecdsa-sha2-nistp256) :: [ 15:59:18 ] :: Confirm Host entry has ECDSA Key FingerPrint listed sshpubkeyfp: F8:A5:85:DB:F5:F3:40:3C:43:DF:F8:83:1D:BB:20:B0 (ecdsa-sha2-nistp256) :: [ PASS ] :: File '/tmp/tmpout.ipa_ssh_rfe_bz813398' should contain 'f8:a5:85:db:f5:f3:40:3c:43:df:f8:83:1d:bb:20:b0' idnsname: host1 arecord: 2.2.2.1 sshfprecord: 3 1 58740BAA684F9458B6EEC869F421FA8CCB35EC35 sshfprecord: 3 2 EC3D88882A03D918B82DFDFA3880C768EB0CDEF9D608377EC637E3BD3D83DC6B 3 1 58740BAA684F9458B6EEC869F421FA8CCB35EC35 3 2 EC3D88882A03D918B82DFDFA3880C768EB0CDEF9D608377EC637E3BD 3D83DC6B :: [ 15:59:21 ] :: ECDSADNSFP_SHA1=58740baa684f9458b6eec869f421fa8ccb35ec35 :: [ 15:59:21 ] :: IPAECDSADNSFP_SHA1=58740baa684f9458b6eec869f421fa8ccb35ec35 :: [ PASS ] :: ECDSA key with SHA1 fingerprint: ipa dns and sshpubkey match :: [ 15:59:21 ] :: ECDSADNSFP_SHA256=ec3d88882a03d918b82dfdfa3880c768eb0cdef9d608377ec637e3bd3d83dc6b :: [ 15:59:21 ] :: IPAECDSADNSFP_SHA256=ec3d88882a03d918b82dfdfa3880c768eb0cdef9d608377ec637e3bd3d83dc6b :: [ PASS ] :: ECDSA key with SHA256 fingerprint: ipa dns and sshpubkey match :: [ 15:59:21 ] :: DIGECDSAFP_SHA1=58740baa684f9458b6eec869f421fa8ccb35ec35 :: [ 15:59:21 ] :: IPAECDSADNSFP_SHA1=58740baa684f9458b6eec869f421fa8ccb35ec35 :: [ PASS ] :: ECDSA key with SHA1 fingerprint: ipa dns and dig match :: [ 15:59:21 ] :: DIGECDSAFP_SHA256=ec3d88882a03d918b82dfdfa3880c768eb0cdef9d608377ec637e3bd3d83dc6b :: [ 15:59:21 ] :: IPAECDSADNSFP_SHA256=ec3d88882a03d918b82dfdfa3880c768eb0cdef9d608377ec637e3bd3d83dc6b :: [ PASS ] :: ECDSA key with SHA256 fingerprint: ipa dns and dig match :: [ PASS ] :: RSA key with SHA1 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: RSA key with SHA256 fingerprint: ipa dns and sshpubkey match :: [ PASS ] :: RSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: RSA key with SHA256 fingerprint: ipa dns and dig match :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_ssh_bug_0008: bz813398 : Verify Client Fingerprint in DNS Record :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: idnsname: cisco-c240m3-01 arecord: 10.16.70.63 sshfprecord: 1 1 65CFA24CD2B02529CD53052B15D23EDF69107062 sshfprecord: 1 2 6D1655C5A25260523CA7B8D585C9789A7C5E63DEE28B2D8520170756 3D1FE198 sshfprecord: 3 1 FA2093F05548876C6DC9D29A3D974852825F5926 sshfprecord: 3 2 A909EBFEE207D961459F9CE9D08B626318BA31FA68C464BE5D707D3D 47E09751 3 2 A909EBFEE207D961459F9CE9D08B626318BA31FA68C464BE5D707D3D 47E09751 1 2 6D1655C5A25260523CA7B8D585C9789A7C5E63DEE28B2D8520170756 3D1FE198 3 1 FA2093F05548876C6DC9D29A3D974852825F5926 1 1 65CFA24CD2B02529CD53052B15D23EDF69107062 :: [ 15:31:37 ] :: ipa dnsrecord-show for cisco-c240m3-01 has RSA key with SHA1 fingerprint: 65cfa24cd2b02529cd53052b15d23edf69107062 :: [ 15:31:37 ] :: ipa dnsrecord-show for cisco-c240m3-01 has DSA key with SHA1 fingerprint: :: [ 15:31:37 ] :: ipa dnsrecord-show for cisco-c240m3-01 has ECDSA key with SHA1 fingerprint: fa2093f05548876c6dc9d29a3d974852825f5926 :: [ 15:31:37 ] :: dig for cisco-c240m3-01 has RSA key with SHA1: 65cfa24cd2b02529cd53052b15d23edf69107062 :: [ 15:31:37 ] :: dig for cisco-c240m3-01 has DSA key with SHA1: :: [ 15:31:37 ] :: dig for cisco-c240m3-01 has ECDSA key with SHA1: fa2093f05548876c6dc9d29a3d974852825f5926 :: [ 15:31:38 ] :: ipa dnsrecord-show for cisco-c240m3-01 has RSA key with SHA256 fingerprint: 6d1655c5a25260523ca7b8d585c9789a7c5e63dee28b2d8520170756 :: [ 15:31:38 ] :: ipa dnsrecord-show for cisco-c240m3-01 has DSA key with SHA256 fingerprint: :: [ 15:31:38 ] :: ipa dnsrecord-show for cisco-c240m3-01 has ECDSA key with SHA256 fingerprint: a909ebfee207d961459f9ce9d08b626318ba31fa68c464be5d707d3d :: [ 15:31:38 ] :: dig for cisco-c240m3-01 has RSA key with SHA256: 6d1655c5a25260523ca7b8d585c9789a7c5e63dee28b2d8520170756 :: [ 15:31:38 ] :: dig for cisco-c240m3-01 has DSA key with SHA1: :: [ 15:31:38 ] :: dig for cisco-c240m3-01 has ECDSA key with SHA1: fa2093f05548876c6dc9d29a3d974852825f5926 :: [ PASS ] :: RSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: DSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: ECDSA key with SHA1 fingerprint: ipa dns and dig match :: [ PASS ] :: RSA key with SHA256 fingerprint: ipa dns and dig match :: [ PASS ] :: DSA key with SHA256 fingerprint: ipa dns and dig match :: [ PASS ] :: ECDSA key with SHA256 fingerprint: ipa dns and dig match This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |