ssh: Add host fingerprint matching

Added fingerprint matching to host functionality replacing the old
matching on ip with nc idea.
Functions essentially the same, only that now if another host
randomly/or targeted replaces the original checking target you will
still not try to be connected since the ssh fingerprint will not match.
Should make it a teensy bit more secure.
This commit is contained in:
Marty Oehme 2022-03-08 09:26:24 +01:00
parent a49e49bbd4
commit 645248e83a
Signed by: Marty
GPG key ID: B7538B8F50A1C800
3 changed files with 28 additions and 7 deletions

View file

@ -1,5 +0,0 @@
# Send a keepalive package every 15 seconds without data
ServerAliveInterval 15
# conserve some bandwidth at the cost of processing power
Compression yes

View file

@ -1,2 +1,7 @@
Include ~/.ssh/conf/config.ssh # Send a keepalive package every 15 seconds without data
Include ~/.ssh/conf/hosts.ssh ServerAliveInterval 15
# conserve some bandwidth at the cost of processing power
Compression yes
Include ~/.ssh/hosts

View file

@ -0,0 +1,21 @@
#!/bin/bash
# from: https://awbmilne.github.io/blog/SSH-Host-Fallback/
# Takes 2 arguments: a hostname and an ssh fingerprint
# Retrieves all fingerprints from hostname and compares
# to see if the fingerprint passed in is part of them.
# If it is, returns true; if not, false.
# Can be used for more secure matching on hostname availability
# in sshconfig than e.g. nc ip matching.
#
# To find your keys fingerprint, one option is just connecting
# via `ssh -v` and looking for the fingerprint there.
fingerprints=$(ssh-keygen -lf <(ssh-keyscan "$1" 2>/dev/null))
for fingerprint in $fingerprints; do
if [ "$fingerprint" == "$2" ]; then
exit 0
fi
done
exit 1