forked from danwent/Perspectives-Server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssh_scan_openssh.py
88 lines (70 loc) · 2.72 KB
/
ssh_scan_openssh.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# This file is part of the Perspectives Notary Server
#
# Copyright (C) 2011 Dan Wendlandt
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from subprocess import *
import re
import sys
import tempfile
import os
import notary_common
# note: timeout is ignored for now
def attempt_observation_for_service(service_id, timeout):
dns_and_port = service_id.split(",")[0]
dns_name, port = dns_and_port.split(":")
fname = tempfile.mktemp()
# this sucks, because for any host that is unreachable,
# we will try once per key type.
# Also, if the server uses multiple types of keys, it will only
# record the first one.
# We tolerate this for now because the number of ssh machines is
# small and we plan on phasing it out anyway
for key_type in ("rsa","dsa","rsa1"):
fd = open(fname,'w')
p1 = Popen(["ssh-keyscan", "-t", key_type, "-p", port, dns_name ],
stdin=file("/dev/null", "r"), stdout=fd, stderr=None)
p1.wait()
if p1.returncode != 0:
print >> sys.stderr, "ERROR: error fetching ssh '%s' key for %s" % (key_type,dns_and_port)
continue
p2 = Popen(["ssh-keygen","-l","-f", fname],
stdin=file("/dev/null", "r"), stdout=PIPE, stderr=None)
output = p2.communicate()[0].strip()
p2.wait()
if p2.returncode != 0:
print >> sys.stderr, "ERROR: error fetching ssh key of type '%s' for '%s'" % (key_type,dns_and_port)
continue
fp = output.split()[1]
fp_regex = re.compile("^[a-f0-9]{2}(:([a-f0-9]){2}){15}$")
if not fp_regex.match(fp):
print >> sys.stderr, "ERROR: invalid fingerprint '%s'" % output
continue
return fp
os.remove(fname)
raise Exception("all key types failed")
if __name__ == "__main__":
if len(sys.argv) != 3 and len(sys.argv) != 2:
print >> sys.stderr, "ERROR: usage: <service-id> [notary-db-file>]"
exit(1)
service_id = sys.argv[1]
try:
fp = attempt_observation_for_service(service_id, 10)
if len(sys.argv) == 3:
notary_common.report_observation(sys.argv[2], service_id, fp)
else:
print "INFO: no database specified, not saving observation"
print "Successful scan complete: '%s' has key '%s' " % (service_id,fp)
except:
print "Error scanning for %s" % service_id
traceback.print_exc(file=sys.stdout)