]>
git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane_ssh
fe56dea1764ebfcfca934540a996114c5a7736d4
5 from __future__
import print_function
13 from unbound
import ub_ctx
, ub_strerror
17 from unbound
import RR_TYPE_SSHFP
22 class HostKeyMatchSSHFP(BaseException
):
26 class HostKeyMismatchSSHFP(BaseException
):
30 class HostKeyLookup(paramiko
.client
.MissingHostKeyPolicy
):
31 def __init__(self
, args
):
33 self
._resolver
= ub_ctx()
34 self
._resolver
.add_ta_file(args
.ancor
)
37 def missing_host_key(self
, client
, hostname
, key
):
38 actualhostkey
= key
.asbytes()
39 actualkeytype
= key
.get_name()
40 hexencoder
= codecs
.getencoder('hex')
42 s
, r
= self
._resolver
.resolve(hostname
, RR_TYPE_SSHFP
)
48 logging
.error("No SSHFP record returned")
51 for record
in r
.data
.data
:
57 actualhash
= hashlib
.sha1(actualhostkey
).digest()
59 actualhash
= hashlib
.sha256(actualhostkey
).digest()
61 logging
.warn("Only hashtypes 1 and 2 supported")
63 if keytype
== 1 and actualkeytype
== 'ssh-rsa':
64 if data
== actualhash
:
65 raise HostKeyMatchSSHFP
67 elif keytype
== 2 and actualkeytype
== 'ssh-dss':
68 if data
== actualhash
:
69 raise HostKeyMatchSSHFP
71 elif keytype
== 3 and actualkeytype
== 'ssh-ecdsa':
72 if data
== actualhash
:
73 raise HostKeyMatchSSHFP
75 elif keytype
== 4 and actualkeytype
== 'ssh-ed25519':
76 if data
== actualhash
:
77 raise HostKeyMatchSSHFP
79 logging
.error("No matching SSHFP record found")
80 raise HostKeyMismatchSSHFP
83 def init_connection(args
):
84 connection
= paramiko
.client
.SSHClient()
85 connection
.set_missing_host_key_policy(HostKeyLookup(args
))
91 logging
.basicConfig(format
='%(levelname)5s %(message)s')
92 parser
= argparse
.ArgumentParser()
93 parser
.add_argument("Host")
95 parser
.add_argument("--verbose", action
="store_true")
96 parser
.add_argument("--quiet", action
="store_true")
97 parser
.add_argument("-p", "--port",
98 action
="store", type=int, default
=22,
101 parser
.add_argument("-a", "--ancor",
102 action
="store", type=str, default
="/etc/unbound/root.key",
103 help="DNSSEC root ancor")
105 group
= parser
.add_mutually_exclusive_group()
106 group
.add_argument("-6", "--6", action
="store_true", help="check via IPv6 only")
107 group
.add_argument("-4", "--4", action
="store_true", help="check via IPv4 only")
108 group
.add_argument("--64", action
="store_false", help="check via IPv4 and IPv6 (default)")
110 args
= parser
.parse_args()
113 logging
.getLogger().setLevel(logging
.DEBUG
)
115 logging
.getLogger().setLevel(logging
.WARNING
)
117 logging
.getLogger().setLevel(logging
.INFO
)
119 connection
= init_connection(args
)
122 connection
.connect(args
.Host
)
123 except HostKeyMatchSSHFP
:
125 except HostKeyMismatchSSHFP
:
129 if __name__
== '__main__':