Bug 2821 - ssh-keyscan cannot generate SSHFP fingerprints
Summary: ssh-keyscan cannot generate SSHFP fingerprints
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keyscan (show other bugs)
Version: 7.6p1
Hardware: All Linux
: P5 enhancement
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_7_7
  Show dependency treegraph
 
Reported: 2018-01-19 00:45 AEDT by Ulrich M. Schwarz
Modified: 2021-04-23 14:53 AEST (History)
2 users (show)

See Also:

Attachments
Add ssh-keyscan -D flag for output in SSHFP format (3.24 KB, patch)
2018-02-23 13:55 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich M. Schwarz 2018-01-19 00:45:22 AEDT 
It seems kind of odd that ssh-keyscan does not offer an equivalent to ssh-keygen's -r to easily generate SSHFP fingerprints for more than one host, without logging into each host. 
All the information needed is already fetched (i.e. the public keys) or known (i.e. the hostname), but as is, you'd have to generate the known_hosts output and then parse it again and hash it yourself or create temporary files for each line, as you can't pipe into ssh-keygen.

I realize that this mass-generation pretty much only occurs when you initially commit to deploying SSHFP, but all the code is already there…
Comment 1 Damien Miller 2018-02-23 13:55:26 AEDT 
Created attachment 3127 [details]
Add ssh-keyscan -D flag for output in SSHFP format

Good idea, this is trivial to implement. Here's a patch.
Comment 2 Damien Miller 2018-02-23 16:09:17 AEDT 
That's applied and will be in OpenSSH 7.7 - thanks!
Comment 3 Damien Miller 2021-04-23 14:53:11 AEST 
closing resolved bugs as of 8.6p1 release