SSHbase is a purpose-built Bcfg2 plugin for managing ssh host keys. It is responsible for making ssh keys persist beyond a client rebuild and building a proper ssh_known_hosts file, including a correct localhost record for the current system.
It has two functions:
SSHbase has support for Aliases listed in clients.xml. The address for the entries are specified either through DNS (e.g. a CNAME), or via the address attribute to the Alias.
At this point, SSHbase will generate new keys for any client without a recorded key in the repository, and will generate an ssh_known_hosts file appropriately.
SSHbase currently supports the following key formats:
New in version 1.2.0.
In addition to host-specific keys, SSHbase also supports group-specific keys, e.g., for a high-availability cluster or similar application. Group-specific keys must be pre-seeded; SSHbase cannot create group-specific keys itself.
To use group-specific keys, simply create SSHbase/<key filename>.Gxx_<group name>. For instance, ssh_host_dsa_key.pub.G65_foo-cluster.
If you have some hosts which are not managed by Bcfg2, but you would still like to have their public ssh keys available in ssh_known_hosts, you can add their public keys to the SSHbase directory with a .static ending.
Example:
a.static:
TEST1
b.static:
TEST2
The generated ssh_known_hosts file:
TEST1
TEST2
New in version 1.2.0.
You can also distribute a fully static ssh_known_hosts file on a per-host or per-group basis by creating SSHbase/ssh_known_hosts.H_<hostname> or SSHbase/ssh_known_hosts.Gxx_<group name>. Those files will be entirely static; Bcfg2 will not add any host keys to them itself.
New in version 1.2.0.
SSHbase supports use of an info.xml file to control the permissions and other metadata for the keys and ssh_known_hosts file. You can use the <Path> directive in info.xml to change the metadata for different keys, e.g.:
<FileInfo>
<Path name="/etc/ssh/ssh_host_dsa_key">
<Info owner="root" group="wheel" mode="0660"/>
</Path>
<Path name="/etc/ssh/ssh_host_dsa_key.pub">
<Info owner="root" group="wheel" mode="0664"/>
</Path>
</FileInfo>
Default permissions are as follows:
File | owner | group | mode | sensitive | paranoid | encoding |
---|---|---|---|---|---|---|
ssh_known_hosts | root | root | 0644 | false | false | None |
ssh_host_key | root | root | 0600 | false | false | base64 |
ssh_host_key.pub | root | root | 0644 | false | false | base64 |
ssh_host_[rsa|dsa|ecdsa]_key | root | root | 0600 | false | false | None |
ssh_host_[rsa|dsa|ecdsa]_key.pub | root | root | 0644 | false | false | None |
Note that the sensitive attribute is false, even for private keys, in order to permit pulling with bcfg2-admin. You should almost certainly set sensitive to “true” in info.xml.
http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/
Note
The linked post uses deprecated ConfigFile entries. Path entries have since replaced these. See Configuration Entries.