SSHFP with paramiko

[totaam]

2019-01-03 13:34:45: elenril created the issue

One feature that I've been using with openssh, but is missing from the new paramiko code, is checking SSHFP DNS records.

Some background: SSHFP records are used to publish a host key fingerprints in DNS, then (assuming the domain is DNSSEC-secured and the client has a validating resolver) the client can verify the host keys through DNS rather than the classic trust-on-first-use method. In openssh, this is enabled by the VerifyHostKeyDNS yes option in ssh_config. Since I have many hosts which connect to each other, I think this scales better than the classic known_hosts approach.

Now, paramiko does not support SSHFP natively, but it can be implemented by the caller through a custom missing host key policy. I'm attaching code for this policy I use in another codebase, though I am not sure whether it belongs in xpra or should be added to paramiko itself, or implemented in some other manner. Thoughts?

[totaam]

2019-01-03 13:35:03: elenril uploaded file _sshfp_policy.py (1.8 KiB)

[totaam]

I think the policy itself could be merged by paramiko, if they decide to do so. If anything, their review of the code would be useful to have.

The actual code changes in xpra would be minimal.
I'll try to take a look when I get a chance, but feel free to beat me to it.

[totaam]

Try r21287 and let me know how it goes.

I take back what I had said regarding merging this upstream: it's easier to have it separate so that the messages we get from the SSHFP DNS check can be integrated into the other dialogs / console messages.

[totaam]

Not heard back, closing - works for me.

[totaam]

Added python-dns to rpm and deb dependencies in r22531.

[totaam]

See also #2567.

[totaam]

Looks like the DEB dependency was wrong: 116cfdb
python3-dnspython provides dns, not python3-dns!