sampledoc

Import existing ssh keys

Note

In order for the instructions in this guide to work, you will need to first setup the reporting system so that the server has the information needed to create the existing entries.

This guide details the process for importing existing ssh keys into your server repository.

Add a bundle for ssh

After verifying that SSHbase is listed on the plugins line in /etc/bcfg2.conf, you need to create a bundle containing the appropriate entries. In general, you can use a path glob:

<Bundle>
  <Path glob="/etc/ssh/*"/>
</Bundle>

If you need more granular control – e.g., other entries in /etc/ssh are specified in other bundles – you can also list the files explicity:

<Bundle>
  <!-- requires a version of openssh that can generate ecdsa keys -->
  <Path name="/etc/ssh/ssh_host_ecdsa_key"/>
  <Path name="/etc/ssh/ssh_host_ecdsa_key.pub"/>
  <!-- requires a version of openssh that can generate ed25519 keys -->
  <Path name="/etc/ssh/ssh_host_ed25519_key"/>
  <Path name="/etc/ssh/ssh_host_ed25519_key.pub"/>
  <Path name='/etc/ssh/ssh_host_dsa_key'/>
  <Path name='/etc/ssh/ssh_host_dsa_key.pub'/>
  <Path name='/etc/ssh/ssh_host_rsa_key'/>
  <Path name='/etc/ssh/ssh_host_rsa_key.pub'/>
  <Path name='/etc/ssh/ssh_host_key'/>
  <Path name='/etc/ssh/ssh_host_key.pub'/>
  <Path name='/etc/ssh/ssh_known_hosts'/>
</Bundle>

Next, you need to add the ssh bundle to the client’s metadata in groups.xml.

Validate your repository

Validation can be performed using the following command:

bcfg2-lint

Run the bcfg2 client

bcfg2 -vqn

You will see the incorrect entries for the ssh files:

Phase: initial
Correct entries:        0
Incorrect entries:      7
Total managed entries:  7
Unmanaged entries:      649

In dryrun mode: suppressing entry installation for:
 Path:/etc/ssh/ssh_host_dsa_key      Path:/etc/ssh/ssh_host_rsa_key
 Path:/etc/ssh/ssh_host_dsa_key.pub  Path:/etc/ssh/ssh_host_rsa_key.pub
 Path:/etc/ssh/ssh_host_key          Path:/etc/ssh/ssh_known_hosts
 Path:/etc/ssh/ssh_host_key.pub

Phase: final
Correct entries:        0
Incorrect entries:      7
 Path:/etc/ssh/ssh_host_dsa_key      Path:/etc/ssh/ssh_host_rsa_key
 Path:/etc/ssh/ssh_host_dsa_key.pub  Path:/etc/ssh/ssh_host_rsa_key.pub
 Path:/etc/ssh/ssh_host_key          Path:/etc/ssh/ssh_known_hosts
 Path:/etc/ssh/ssh_host_key.pub
Total managed entries:  7
Unmanaged entries:      649

Install the client’s ssh keys into the Bcfg2 repository

Now, we pull the ssh host key data for the client out of the uploaded stats and insert it as host-specific copies of these files in /var/lib/bcfg2/SSHBase.:

for key in ssh_host_ed25519_key ssh_host_ecdsa_key ssh_host_rsa_key ssh_host_dsa_key ssh_host_key; do
    sudo bcfg2-admin pull <clientname> Path /etc/ssh/$key
    sudo bcfg2-admin pull <clientname> Path /etc/ssh/$key.pub
done

This for loop pulls data that was collected by the bcfg2 client out of the statistics file and installs it into the repository. This means that the client will keep the same ssh keys and the bcfg2 server can start generating a correct ssh_known_hosts file for the client.

Run the bcfg2 client (again)

bcfg2 -vqn

This time, we will only see 1 incorrect entry.:

Phase: initial
Correct entries:        6
Incorrect entries:      1
Total managed entries:  7
Unmanaged entries:      649

In dryrun mode: suppressing entry installation for:
 Path:/etc/ssh/ssh_known_hosts

Phase: final
Correct entries:        6
Incorrect entries:      1
 Path:/etc/ssh/ssh_known_hosts
Total managed entries:  7
Unmanaged entries:      649

Now, the only wrong entry is the ssh_known_hosts file, so go ahead and install it:

bcfg2 -vqI

After answering ‘y’ to the interactive prompt, the client will install the known_hosts file successfully.