diff --git a/CHANGELOG.md b/CHANGELOG.md index d1750be..1dccf38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Control panel: * Remove recommendations for Certificate Providers * Status checks failed if the system doesn't support iptables +* Add support for SSHFP records when sshd listens on non-standard ports v0.20 (September 23, 2016) -------------------------- diff --git a/management/dns_update.py b/management/dns_update.py index d7bbdfd..784a5b0 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -348,7 +348,18 @@ def build_sshfp_records(): # like the known_hosts file: hostname, keytype, fingerprint. The order # of the output is arbitrary, so sort it to prevent spurrious updates # to the zone file (that trigger bumping the serial number). - keys = shell("check_output", ["ssh-keyscan", "localhost"]) + + # scan the sshd_config and find the ssh ports (port 22 may be closed) + with open('/etc/ssh/sshd_config', 'r') as f: + ports = [] + t = f.readlines() + for line in t: + s = line.split() + if len(s) == 2 and s[0] == 'Port': + ports = ports + [s[1]] + # the keys are the same at each port, so we only need to get + # them at the first port found (may not be port 22) + keys = shell("check_output", ["ssh-keyscan", "-p", ports[0], "localhost"]) for key in sorted(keys.split("\n")): if key.strip() == "" or key[0] == "#": continue try: