SSH known_hosts Management with CFEngine

By jbayer - Last updated: Thursday, October 10, 2013 - Save & Share - Leave a Comment

For small sites, a changed Secure Shell (SSH) host key poses only minor problems, as only a few systems might be affected. At larger sites, the host key data should be maintained with configuration management, so that any SSH host key changes can be propogated throughout the site. CFEngine can maintain a global ssh_known_hosts file for OpenSSH.

Host Key Collection with ssh-keyscan

The global ssh_known_hosts file should be maintained under version control. I keep the file atmasterfiles/ssh/ssh_known_hosts under the repository, and use a set of scripts around ssh-keyscan(1) to add or update host keys manually. When collecting host keys from other servers, care should be taken that no attacker has supplied a malicious key. The man-in-the-middle threat can be reduced by using an authoritative name server on the system running ssh-keyscan(1). Also, have each system compare its own keys with the keys the scanning system collected, and alert if differences appear.

Scripts to assist key collection include:

With a Makefilemake add or make update can be used to update the host key list:

# usage:
# echo hostname | make add
add:
 @expand-hl | add-ssh-hostkeys ssh_known_hosts

update:
 @update-ssh-hostkeys ssh_known_hosts

 

Distributing ssh_known_hosts

Use a remote_dcp bundle to distribute the ssh_known_hosts file, with variables to account for vendor specific differences.

vars:
 macosx::
 "ssh_known_hosts" string => "/etc/ssh_known_hosts";
freebsd|linux|openbsd::
 "ssh_known_hosts" string => "/etc/ssh/ssh_known_hosts";
files:
 any::
   "${ssh_known_hosts}"
   handle => "ssh_known_hosts",
   comment => "Copy ssh_known_hosts file",
   create => "true",
   perms => mog("0444", "root", "root"),
   copy_from => remote_dcp("${masterfiles}/etc/ssh/ssh_known_hosts", "${policyhost}"),
   classes => if_repaired("ssh_known_hosts_file_modified");

Users with old host keys in their ~/.ssh/known_hosts files will see key warnings. Old keys must be deleted in favor of the globally maintained keys.

The inspiration for this post is http://www.novosial.org/cfengine/examples/ssh-known-hosts/index.html, which is for CF-Engine 2.  Unfortunately, the email for the author is not valid anymore.

Posted in CF-Engine • Tags: , , Top Of Page
615 views

Write a comment

asd