Note
In order for the instructions in this guide to work, you will need to first setup the reporting system so that the server has the information needed to create the existing entries.
This guide details the process for importing existing ssh keys into your server repository.
After verifying that SSHbase is listed on the plugins line in /etc/bcfg2.conf, you need to create a bundle containing the appropriate entries. In general, you can use a path glob:
<Bundle>
<Path glob="/etc/ssh/*"/>
</Bundle>
If you need more granular control – e.g., other entries in /etc/ssh are specified in other bundles – you can also list the files explicity:
<Bundle>
<!-- requires a version of openssh that can generate ecdsa keys -->
<Path name="/etc/ssh/ssh_host_ecdsa_key"/>
<Path name="/etc/ssh/ssh_host_ecdsa_key.pub"/>
<!-- requires a version of openssh that can generate ed25519 keys -->
<Path name="/etc/ssh/ssh_host_ed25519_key"/>
<Path name="/etc/ssh/ssh_host_ed25519_key.pub"/>
<Path name='/etc/ssh/ssh_host_dsa_key'/>
<Path name='/etc/ssh/ssh_host_dsa_key.pub'/>
<Path name='/etc/ssh/ssh_host_rsa_key'/>
<Path name='/etc/ssh/ssh_host_rsa_key.pub'/>
<Path name='/etc/ssh/ssh_host_key'/>
<Path name='/etc/ssh/ssh_host_key.pub'/>
<Path name='/etc/ssh/ssh_known_hosts'/>
</Bundle>
Next, you need to add the ssh bundle to the client’s metadata in groups.xml.
bcfg2 -vqn
You will see the incorrect entries for the ssh files:
Phase: initial
Correct entries: 0
Incorrect entries: 7
Total managed entries: 7
Unmanaged entries: 649
In dryrun mode: suppressing entry installation for:
Path:/etc/ssh/ssh_host_dsa_key Path:/etc/ssh/ssh_host_rsa_key
Path:/etc/ssh/ssh_host_dsa_key.pub Path:/etc/ssh/ssh_host_rsa_key.pub
Path:/etc/ssh/ssh_host_key Path:/etc/ssh/ssh_known_hosts
Path:/etc/ssh/ssh_host_key.pub
Phase: final
Correct entries: 0
Incorrect entries: 7
Path:/etc/ssh/ssh_host_dsa_key Path:/etc/ssh/ssh_host_rsa_key
Path:/etc/ssh/ssh_host_dsa_key.pub Path:/etc/ssh/ssh_host_rsa_key.pub
Path:/etc/ssh/ssh_host_key Path:/etc/ssh/ssh_known_hosts
Path:/etc/ssh/ssh_host_key.pub
Total managed entries: 7
Unmanaged entries: 649
Now, we pull the ssh host key data for the client out of the uploaded stats and insert it as host-specific copies of these files in /var/lib/bcfg2/SSHBase.:
for key in ssh_host_ed25519_key ssh_host_ecdsa_key ssh_host_rsa_key ssh_host_dsa_key ssh_host_key; do
sudo bcfg2-admin pull <clientname> Path /etc/ssh/$key
sudo bcfg2-admin pull <clientname> Path /etc/ssh/$key.pub
done
This for loop pulls data that was collected by the bcfg2 client out of the statistics file and installs it into the repository. This means that the client will keep the same ssh keys and the bcfg2 server can start generating a correct ssh_known_hosts file for the client.
bcfg2 -vqn
This time, we will only see 1 incorrect entry.:
Phase: initial
Correct entries: 6
Incorrect entries: 1
Total managed entries: 7
Unmanaged entries: 649
In dryrun mode: suppressing entry installation for:
Path:/etc/ssh/ssh_known_hosts
Phase: final
Correct entries: 6
Incorrect entries: 1
Path:/etc/ssh/ssh_known_hosts
Total managed entries: 7
Unmanaged entries: 649
Now, the only wrong entry is the ssh_known_hosts file, so go ahead and install it:
bcfg2 -vqI
After answering ‘y’ to the interactive prompt, the client will install the known_hosts file successfully.