Page MenuHomeFreeBSD
Differential D52159

rc.d/sshd: Add "showfp" cmd to display host key fingerprint
AcceptedPublic
Actions

Authored by lwhsu on Aug 26 2025, 4:24 AM.
Tags
None
Referenced Files
Unknown Object (File)
Nov 22 2025, 9:14 AM
Unknown Object (File)
Nov 16 2025, 4:57 PM
Unknown Object (File)
Nov 13 2025, 12:45 AM
Unknown Object (File)
Nov 8 2025, 12:45 AM
Unknown Object (File)
Nov 6 2025, 3:20 AM
Unknown Object (File)
Nov 1 2025, 8:05 PM
Unknown Object (File)
Nov 1 2025, 5:00 PM
Unknown Object (File)
Oct 28 2025, 2:41 PM
View All 38 Files
Subscribers
imp
jlduran

Details

Reviewers
cperciva
emaste
delphij
jlduran
Summary
rc.d/sshd: Add "showfp" cmd to display host key fingerprint

It's customized in many cloud images and it's good to have this in base to be
used more widely.

MFC:		1 week
Sponsored by:	The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 66529
Build 63412: arc lint + arc unit

Event Timeline

lwhsu created this revision.Aug 26 2025, 4:24 AM
Herald added a subscriber: imp. · View Herald TranscriptAug 26 2025, 4:24 AM
lwhsu requested review of this revision.Aug 26 2025, 4:24 AM
Harbormaster completed remote builds in B66529: Diff 160980.Aug 26 2025, 4:24 AM
lwhsu added a comment.Aug 26 2025, 4:26 AM

I'm cleaning up small local changes when sorting my git workspace. This patch may need to be improved, but need to get it out my private tree first.

lwhsu added reviewers: cperciva, emaste, delphij.Aug 26 2025, 4:27 AM
jlduran added a subscriber: jlduran.Aug 29 2025, 1:20 AM
emaste added a comment.Sep 2 2025, 2:55 PM

Do you know if there's some canonical reference for emitting the fingerprints to the system console on startup? Searching for -----BEGIN SSH HOST KEY FINGERPRINTS----- turns up lots of examples, but if there is some canonical reference it would be good to include here.

libexec/rc/rc.d/sshd
77–84

I'm not sure this check adds much value; trying to specify an algorithm that doesn't yet exist would be a bug in sshd_showfp, and falling through to the warn below is fine in that case I'd say

lwhsu updated this revision to Diff 161615.Sep 5 2025, 7:12 PM

Remove unnecessary checks.

Harbormaster completed remote builds in B66850: Diff 161615.Sep 5 2025, 7:12 PM
lwhsu marked an inline comment as done.Sep 5 2025, 7:13 PM
In D52159#1194978, @emaste wrote:

Do you know if there's some canonical reference for emitting the fingerprints to the system console on startup? Searching for -----BEGIN SSH HOST KEY FINGERPRINTS----- turns up lots of examples, but if there is some canonical reference it would be good to include here.

It's learnt from @cperciva 's ec2 scripts https://github.com/cperciva/ec2-scripts/blob/master/ec2_loghostkey . I skipped the ###... lines but the -----BEGIN... part looks good. The ec2: prefix cloud be useful for certain automation in the clouds. We can have an extension of this work for customizing the format (and even expend to other scripts... that's too far for now.)

emaste accepted this revision.Sep 5 2025, 7:28 PM
emaste added inline comments.
libexec/rc/rc.d/sshd
78

I think it would be fine if we didn't capitalize the key here to simplify a bit more, but doesn't matter much either way.

83

if we want to be pedantic

This revision is now accepted and ready to land.Sep 5 2025, 7:28 PM
emaste added a comment.Sep 5 2025, 7:28 PM

Agree wrt. the BEGIN SSH HOST KEY FINGERPRINTS and #####... lines. Happy to get this in and iterate after we see what people think.

jlduran added a comment.Sep 5 2025, 8:17 PM

I wonder if we should also check for presence of the public key.

libexec/rc/rc.d/sshd
77
emaste added inline comments.Sep 5 2025, 8:19 PM
libexec/rc/rc.d/sshd
77

Presumably || not &&?

Of if ! [ -f ${keyfile}" -a -f "${keyfile}.pub ]

lwhsu updated this revision to Diff 161622.Sep 5 2025, 8:43 PM

check public key file

This revision now requires review to proceed.Sep 5 2025, 8:43 PM
Harbormaster completed remote builds in B66857: Diff 161622.Sep 5 2025, 8:43 PM
lwhsu added a comment.Sep 5 2025, 8:43 PM
In D52159#1196628, @jlduran wrote:

I wonder if we should also check for presence of the public key.

This is a good point, indeed its output is fingerprint of the public key so perhaps it's better to just check for the public key file. That's what ec2-script does.

I was thinking that checking the private can make sure the key pair is complete, as from the man page ssh-keygen will find the matching public key file.

libexec/rc/rc.d/sshd
78

I'll leave this for now as it's aligning with sshd_keygen_alg(), and maybe update both places in another commit

83

Will update along with sshd_keygen_alg() in another commit.

jlduran accepted this revision.Sep 5 2025, 9:39 PM

This will be displayed on every dmesg -a by default, just like the AWS images. Is this the desired behavior?

This revision is now accepted and ready to land.Sep 5 2025, 9:39 PM
jlduran added inline comments.Sep 5 2025, 9:49 PM
libexec/rc/rc.d/sshd
77

Yes, you are correct. Checking the presence of both files.
Now it's only checking for a pubkey.

emaste accepted this revision.Sep 5 2025, 9:56 PM
jlduran added a comment.Sep 6 2025, 3:50 AM
In D52159#1194978, @emaste wrote:

Do you know if there's some canonical reference for emitting the fingerprints to the system console on startup? Searching for -----BEGIN SSH HOST KEY FINGERPRINTS----- turns up lots of examples, but if there is some canonical reference it would be good to include here.

https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/connection-prereqs-general.html

This is AWS-specific, that's why I thought it was going to be an optional thing (maybe under a checkyesno rc variable).

Revision Contents
Changeset List

PathSize
libexec/
rc/
rc.d/
44 lines

Diff 160980

View Options

libexec/rc/rc.d/sshd

Loading...