Last active
February 4, 2016 21:39
-
-
Save mjinks/33af3271799c636319b4 to your computer and use it in GitHub Desktop.
ssh_known_hosts isn't behaving
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ssh evil | |
The authenticity of host 'evil (192.168.50.39)' can't be established. | |
ECDSA key fingerprint is 36:e8:c5:97:ca:88:65:69:c2:f6:30:3d:b0:f3:1b:bc. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{%- set target = salt['pillar.get']('openssh:known_hosts:target', '*') -%} | |
{%- set expr_form = salt['pillar.get']('openssh:known_hosts:expr_form', 'glob') -%} | |
{%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%} | |
{#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name | |
in the SSH known_hosts entry -#} | |
{%- set aliases = salt['pillar.get']('openssh:known_hosts:aliases', []) -%} | |
{%- set aliases_ips = {} -%} | |
{%- for alias in aliases -%} | |
{%- for ip in salt['dig.A'](alias) + salt['dig.AAAA'](alias) -%} | |
{%- do aliases_ips.setdefault(ip, []).append(alias) -%} | |
{%- endfor -%} | |
{%- endfor -%} | |
{#- Loop over targetted minions -#} | |
{%- set host_keys = salt['mine.get'](target, keys_function, expr_form=expr_form) -%} | |
{%- set host_names = salt['mine.get'](target, hostname_function, expr_form=expr_form) -%} | |
{%- for host, keys in host_keys|dictsort -%} | |
{%- set ip4 = salt['dig.A'](host) -%} | |
{%- set ip6 = salt['dig.AAAA'](host) -%} | |
{%- set names = [host_names.get(host, host)] -%} | |
{%- for ip in ip4 + ip6 -%} | |
{%- do names.append(ip) -%} | |
{%- for alias in aliases_ips.get(ip, []) -%} | |
{%- if alias not in names -%} | |
{%- do names.append(alias) -%} | |
{%- endif -%} | |
{%- endfor -%} | |
{%- endfor -%} | |
{%- for line in keys.split('\n') -%} | |
{%- if line -%} | |
{{ ','.join(names) }} {{ line }} | |
{% endif -%} | |
{%- endfor -%} | |
{%- endfor -%} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
all_debian_ssh_host_keys: | |
file.managed: | |
- name: /etc/ssh/ssh_known_hosts | |
- source: salt://openssh/files/ssh_known_hosts | |
- template: jinja | |
- user: root | |
- group: root | |
- mode: 644 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{# note from in formula:#} | |
{%- set host_keys = salt['mine.get'](target, keys_function, expr_form=expr_form) -%} | |
{%- set host_names = salt['mine.get'](target, hostname_function, expr_form=expr_form) -%} | |
{# which fetches all my host keys;#} | |
{# then when the state is applied, I do in fact see those keys go out...#} | |
# $ wc -l /etc/ssh/ssh_known_hosts | |
71 /etc/ssh/ssh_known_hosts | |
{# none were there before #} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment