ssh: Add host fingerprint matching

Added fingerprint matching to host functionality replacing the old matching on ip with nc idea. Functions essentially the same, only that now if another host randomly/or targeted replaces the original checking target you will still not try to be connected since the ssh fingerprint will not match. Should make it a teensy bit more secure.
2022-03-08 09:26:24 +01:00 · 2022-03-08 09:26:24 +01:00 · 645248e83a
parent a49e49bbd4
commit 645248e83a
3 changed files with 28 additions and 7 deletions
--- a/ssh/.ssh/conf/config.ssh
+++ b/ssh/.ssh/conf/config.ssh
@ -1,5 +0,0 @@
-# Send a keepalive package every 15 seconds without data
-ServerAliveInterval 15
-
-# conserve some bandwidth at the cost of processing power
-Compression yes
--- a/ssh/.ssh/config
+++ b/ssh/.ssh/config
@ -1,2 +1,7 @@
-Include ~/.ssh/conf/config.ssh
-Include ~/.ssh/conf/hosts.ssh
+# Send a keepalive package every 15 seconds without data
+ServerAliveInterval 15
+
+# conserve some bandwidth at the cost of processing power
+Compression yes
+
+Include ~/.ssh/hosts
--- a/ssh/.ssh/scripts/check-fingerprint
+++ b/ssh/.ssh/scripts/check-fingerprint
@ -0,0 +1,21 @@
+#!/bin/bash
+# from: https://awbmilne.github.io/blog/SSH-Host-Fallback/
+# Takes 2 arguments: a hostname and an ssh fingerprint
+# Retrieves all fingerprints from hostname and compares
+# to see if the fingerprint passed in is part of them.
+# If it is, returns true; if not, false.
+# Can be used for more secure matching on hostname availability
+# in sshconfig than e.g. nc ip matching.
+#
+# To find your keys fingerprint, one option is just connecting
+# via `ssh -v` and looking for the fingerprint there.
+
+fingerprints=$(ssh-keygen -lf <(ssh-keyscan "$1" 2>/dev/null))
+
+for fingerprint in $fingerprints; do
+    if [ "$fingerprint" == "$2" ]; then
+        exit 0
+    fi
+done
+
+exit 1