Help:SSH Fingerprints
SSH fingerprints of host keys for Wikimedia bastion servers in the production, Cloud VPS, and Toolforge environments. These can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed due to a full reimaging of the server.
Fingerprints
- apt1001.wikimedia.org
- apt2001.wikimedia.org
- bast1001.wikimedia.org
- bast1002.wikimedia.org
- bast1003.wikimedia.org
- bast2001.wikimedia.org
- bast2002.wikimedia.org
- bast2003.wikimedia.org
- bast3001.wikimedia.org
- bast3002.wikimedia.org
- bast3004.wikimedia.org
- bast3005.wikimedia.org
- bast3006.wikimedia.org
- bast3007.wikimedia.org
- bast4001.wikimedia.org
- bast4002.wikimedia.org
- bast4003.wikimedia.org
- bast4004.wikimedia.org
- bast4005.wikimedia.org
- bast5001.wikimedia.org
- bast5002.wikimedia.org
- bast5003.wikimedia.org
- bast5004.wikimedia.org
- bast6002.wikimedia.org
- bast6003.wikimedia.org
- bast7001.wikimedia.org
- bastion.bastioninfra-codfw1dev.codfw1dev.wmcloud.org
- contint1002.wikimedia.org
- contint2001.wikimedia.org
- contint2002.wikimedia.org
- deploy1001.eqiad.wmnet
- deploy1002.eqiad.wmnet
- deploy1003.eqiad.wmnet
- deploy2002.codfw.wmnet
- deployment-tin.deployment-prep.eqiad.wmflabs
- dev.toolforge.org
- gerrit.wikimedia.org:29418
- gerrit1001.wikimedia.org
- gerrit1002.wikimedia.org
- git-ssh.wikimedia.org
- gitlab.wikimedia.org
- gitlab1001.wikimedia.org
- gitlab1003.wikimedia.org
- gitlab1004.wikimedia.org
- gitlab2001.wikimedia.org
- gitlab2002.wikimedia.org
- gitlab2003.wikimedia.org
- hooft.esams.wikimedia.org
- icinga1001.wikimedia.org
- icinga2001.wikimedia.org
- install1003.eqiad.wmnet
- install2003.codfw.wmnet
- login.toolforge.org
- mira.codfw.wmnet
- miscweb1002.eqiad.wmnet
- miscweb2002.codfw.wmnet
- mwdebug1001.eqiad.wmnet
- mwdebug1002.eqiad.wmnet
- mwdebug1003.eqiad.wmnet
- mwdebug2001.codfw.wmnet
- mwdebug2002.codfw.wmnet
- mwmaint1001.eqiad.wmnet
- mwmaint1002.eqiad.wmnet
- mwmaint2001.codfw.wmnet
- mwmaint2002.codfw.wmnet
- naos.codfw.wmnet
- notebook1003.eqiad.wmnet
- people1001.eqiad.wmnet
- people1002.eqiad.wmnet
- people1003.eqiad.wmnet
- people1004.eqiad.wmnet
- people2002.codfw.wmnet
- people2003.codfw.wmnet
- phab1001.eqiad.wmnet
- phab1003.eqiad.wmnet
- phab1004.eqiad.wmnet
- phab2001.codfw.wmnet
- planet1002.eqiad.wmnet
- planet2002.codfw.wmnet
- primary.bastion.wmcloud.org
- puppetmaster1001.eqiad.wmnet
- puppetmaster2001.codfw.wmnet
- releases1001.eqiad.wmnet
- releases1002.eqiad.wmnet
- releases2001.codfw.wmnet
- releases2002.codfw.wmnet
- restricted.bastion.wmcloud.org
- rhenium.wikimedia.org
- secondary.bastion.wmcloud.org
- stat1002.eqiad.wmnet
- stat1003.eqiad.wmnet
- stat1004.eqiad.wmnet
- stat1005.eqiad.wmnet
- stat1006.eqiad.wmnet
- stat1007.eqiad.wmnet
- stat1008.eqiad.wmnet
- stat1009.eqiad.wmnet
- stat1010.eqiad.wmnet
- stat1011.eqiad.wmnet
- terbium.eqiad.wmnet
- tin.eqiad.wmnet
- wikitech-static.wikimedia.org
Virtual addresses
Some servers have virtual addresses: For instance, ns1.wikimedia.org is a virtual host on the authdns1001 host. ns01 host does not have fingerprints published but the authdns host does, so connecting to the latter is advised.
Collecting or updating fingerprints
You can download fingerprints for the entire Wikimedia cluster from https://config-master.wikimedia.org/, which is available publicly.
curl "https://config-master.wikimedia.org/known_hosts" -o ~/.ssh/known_hosts
From within the Wikimedia networks
To find this information, locally you can just run this:
gen_fingerprints
on any host (from ./modules/base/files/environment/gen_fingerprints), or...:
for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done
To get the ECDSA base64 fingerprint, login to the bastion for the host, then run the following command:
ssh-keyscan -t ecdsa <hostname> 2>/dev/null | awk '{print $3}' | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64
If that doesn't work, you might try using ssh -o FingerprintHash=md5
and comparing the MD5 checksum against the fingerprints on subpages here (or the fingerprint derived when attempting to SSH from the bastion host), or try the following Python code.
From a remote host
Remotely (and to format it for these pages), something like this should work:
#!/usr/bin/python3
import sys
if len(sys.argv) == 0:
print('Must specify hostname')
sys.exit(0)
hostname = sys.argv[1]
port = 22
if len(sys.argv) > 2:
port = sys.argv[2]
import collections, subprocess, tempfile
with tempfile.NamedTemporaryFile() as tf:
keyscanCommand = 'ssh-keyscan', '-t', 'rsa,ecdsa,ed25519', '-p', str(port), hostname
subprocess.call(keyscanCommand, stdout = tf.file, stderr = open('/dev/null'))
fingerprints = collections.defaultdict(list)
for fingerprintHash in ['md5', 'sha256']:
keygenCommand = ['ssh-keygen', '-l', '-E', fingerprintHash, '-f', tf.name]
keygenProcess = subprocess.Popen(keygenCommand, stdout = subprocess.PIPE)
stdout, stderr = keygenProcess.communicate()
for line in stdout.decode('ascii').splitlines():
bitlen, fingerprint, hostname, type = line.split(' ')
fingerprints[type[1:-1]].append(fingerprint)
for type, keys in fingerprints.items():
print(';' + type + ':')
for key in keys:
print('* <code>' + key + '</code>')
print()