1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
.. -*- mode: rst -*-
.. _server-plugins-generators-sshbase:
=======
SSHbase
=======
SSHbase is a purpose-built Bcfg2 plugin for managing ssh host keys. It
is responsible for making ssh keys persist beyond a client rebuild and
building a proper ``ssh_known_hosts file``, including a correct localhost
record for the current system.
It has two functions:
* Generating new ssh keys -- When a client requests a dsa, rsa, or v1 key,
and there is no existing key in the repository, one is generated.
* Maintaining the ``ssh_known_hosts`` file -- all current known public
keys (and extra public key stores) are integrated into a single
``ssh_known_hosts`` file, and a localhost record for the current client
is added. The ``ssh_known_hosts`` file data is updated whenever any
keys change, are added, or deleted.
Interacting with SSHbase
========================
* Pre-seeding with existing keys -- Currently existing keys will be
overwritten by new, sshbase-managed ones by default. Pre-existing keys
can be added to the repository by putting them in <repo>/SSHbase/<key
filename>.H_<hostname>
* Pre-seeding can also be performed using bcfg2-admin pull ConfigFile
/name/of/ssh/key
* Revoking existing keys -- deleting <repo>/SSHbase/\*.H_<hostname>
will remove keys for an existing client.
Aliases
=======
SSHbase has support for Aliases listed in clients.xml. The address for
the entries are specified either through DNS (e.g. a CNAME), or via the
address attribute to the Alias.
Getting started
===============
#. Add SSHbase to the **plugins** line in ``/etc/bcfg2.conf`` and
restart the server -- This enables the SSHbase plugin on the Bcfg2
server.
#. Add Path entries for ``/etc/ssh/ssh_known_hosts``, and
``/etc/ssh/ssh_host_dsa_key``, etc to a bundle or base.
#. Enjoy.
At this point, SSHbase will generate new keys for any client without
a recorded key in the repository, and will generate an
``ssh_known_hosts`` file appropriately.
Adding public keys for unmanaged hosts
======================================
If you have some hosts which are not managed by Bcfg2, but you would
still like to have their public ssh keys available in
``ssh_known_hosts``, you can add their public keys to the ``SSHbase``
directory with a *.static* ending.
Example:
``a.static``::
TEST1
``b.static``::
TEST2
The generated ``ssh_known_hosts`` file::
TEST1
TEST2
Blog post
=========
http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/
.. note::
The linked post uses deprecated ConfigFile entries. Path entries
have since replaced these. See :ref:`server-configurationentries`.
|
