From 645248e83aadf4cdd755b05ec89b8d396cc36010 Mon Sep 17 00:00:00 2001
From: Marty Oehme <marty.oehme@gmail.com>
Date: Tue, 8 Mar 2022 09:26:24 +0100
Subject: [PATCH] ssh: Add host fingerprint matching

Added fingerprint matching to host functionality replacing the old
matching on ip with nc idea.
Functions essentially the same, only that now if another host
randomly/or targeted replaces the original checking target you will
still not try to be connected since the ssh fingerprint will not match.
Should make it a teensy bit more secure.
---
 ssh/.ssh/conf/config.ssh           |  5 -----
 ssh/.ssh/config                    |  9 +++++++--
 ssh/.ssh/scripts/check-fingerprint | 21 +++++++++++++++++++++
 3 files changed, 28 insertions(+), 7 deletions(-)
 delete mode 100644 ssh/.ssh/conf/config.ssh
 create mode 100755 ssh/.ssh/scripts/check-fingerprint

diff --git a/ssh/.ssh/conf/config.ssh b/ssh/.ssh/conf/config.ssh
deleted file mode 100644
index 1768d6c..0000000
--- a/ssh/.ssh/conf/config.ssh
+++ /dev/null
@@ -1,5 +0,0 @@
-# Send a keepalive package every 15 seconds without data
-ServerAliveInterval 15
-
-# conserve some bandwidth at the cost of processing power
-Compression yes
diff --git a/ssh/.ssh/config b/ssh/.ssh/config
index 2d4b429..628ec7c 100644
--- a/ssh/.ssh/config
+++ b/ssh/.ssh/config
@@ -1,2 +1,7 @@
-Include ~/.ssh/conf/config.ssh
-Include ~/.ssh/conf/hosts.ssh
+# Send a keepalive package every 15 seconds without data
+ServerAliveInterval 15
+
+# conserve some bandwidth at the cost of processing power
+Compression yes
+
+Include ~/.ssh/hosts
diff --git a/ssh/.ssh/scripts/check-fingerprint b/ssh/.ssh/scripts/check-fingerprint
new file mode 100755
index 0000000..fcbdf4a
--- /dev/null
+++ b/ssh/.ssh/scripts/check-fingerprint
@@ -0,0 +1,21 @@
+#!/bin/bash
+# from: https://awbmilne.github.io/blog/SSH-Host-Fallback/
+# Takes 2 arguments: a hostname and an ssh fingerprint
+# Retrieves all fingerprints from hostname and compares
+# to see if the fingerprint passed in is part of them.
+# If it is, returns true; if not, false.
+# Can be used for more secure matching on hostname availability
+# in sshconfig than e.g. nc ip matching.
+#
+# To find your keys fingerprint, one option is just connecting
+# via `ssh -v` and looking for the fingerprint there.
+
+fingerprints=$(ssh-keygen -lf <(ssh-keyscan "$1" 2>/dev/null))
+
+for fingerprint in $fingerprints; do
+    if [ "$fingerprint" == "$2" ]; then
+        exit 0
+    fi
+done
+
+exit 1