New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cloud-init: Output public ssh host key (for known_hosts) #2224
Comments
Launchpad user Eric Hammond(esh) wrote on 2011-11-22T00:39:55.943973+00:00 Launchpad attachments: Dependencies.txt |
Launchpad user Scott Moser(smoser) wrote on 2011-11-22T01:42:56+00:00
I've not read anything other than the ssh-keygen manpage, but it says: I can't see a good reason not to use something that is widely documented Thoughts? |
Launchpad user Eric Hammond(esh) wrote on 2011-11-22T03:03:42.470234+00:00 I've ammended the original example to use "cat" instead of "cut" as it looks like the specific number of fields in the key may vary for some older formats (rsa1) and it removes the objection that I invented anything. I had been hoping to exclude the comment field, but agree it's not worth the effort/risk. The man page for sshd(8) documents the format for /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts in the "SSH_KNOWN_HOSTS FILE FORMAT" section. It includes the paragraphs:
and::
I suppose you could copy the information out of these files using ssh-keygen, but it converts the key to a different format. I lean towards copying the public key file directly because:
|
Launchpad user Scott Moser(smoser) wrote on 2011-12-20T05:16:06.194633+00:00 fix-committed in cloud-init trunk at http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/493 . |
Launchpad user Launchpad Janitor(janitor) wrote on 2011-12-22T09:10:13.291010+00:00 This bug was fixed in the package cloud-init - 0.6.3~bzr497-0ubuntu1 cloud-init (0.6.3~bzr497-0ubuntu1) precise; urgency=low
|
This bug was originally filed in Launchpad as LP: #893400
Launchpad details
Launchpad user Eric Hammond(esh) wrote on 2011-11-22T00:39:55.943973+00:00
In bug #892554, Kees Cook (kees) makes a great suggestion that cloud-init could output the public ssh host keys to the console output. This could then be read by automated software outside of the instance and added to a known_hosts file using the IP address and/or hostname that the remote system wishes to use to connect to the instance.
As Scott Moser (smoser) points out, the existing ssh host key fingerprints should be left in the output in the current de facto standard format so as to not break any existing software or human processes that check this.
The new output should be added using a different set of public ssh host key delimiters (see proposed format below).
There is no need to require a cloud-init configuration option; this information should always be output. Extra information in the console output should not interfere with any existing programs as long as it is separate from the existing formatted information.
The simplest way to present the information might be to just output the contents of all public host keys. For example:
cat /etc/ssh/ssh_host_*_key.pub
The client system would query the console output, select one of these ssh host keys, and add it to known_hosts, prepended by the IP address and/or hostnames that it wishes to use to connect to the instance.
Here's an example of what this might look like in the console output:
-----BEGIN PUBLIC SSH HOST KEYS-----
ssh-dss AAAAB3NzaC1kc3MAAACBAOx12z6/snxt5HWbRZNmvs/hH+5EXsLLKR4XnyH56EQFNmpxGy3O5qBNvNpt4GejLmFR6TJdMANwFhkOfUkLcotTpgm+z3nA4wFUZt23o2CjYvqHSx5pOON390XM6xHhXzlGlkip5XUVM4flNhwQNAvt+9bo3//OTtXEZ1ZZ2M8bAAAAFQDiJIlHJxNS2jOsiHIsm5g3Vl5JuwAAAIEAiZXdnPnupHa5EvqAmaa0Gdzqp1mcRm7a/ovQ/Oko/IByF0OqAEZtb3VevUOoC1HFBoYfcP1kRKdey/W7TyLJPYWt/ZuMdNmZSuPZt7U99WkRt+sGfOlTc2PnxbKzbC+dqcBpuVvjy7AJEngucUJ8lykrpR30Fo538KkSHcITf+QAAACBAONcYr7hoksk3BhtvxFKjXoqcwBiDxAuj+aq90oWsenWfStuOO84eg1tJhZNp0VFv9mICevICoY4P+3ZjD7SvTdq5Xk3Uw4wabgFE4rBwS4XrZMA9+O9/S8+b20h+pQSbfwZIZiULTjBP2I89acPExhmrApSpZ+ByqB3HvnKawG+ root@ip-10-32-30-193
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0I3L8UiDoF4LkzpJNHBDM2w9JFE6CbvmAQgW6+czbDOwvrFxQU2rw2HLLUOn+Z2WCE5AJSY7E7pxCrDo1v27hkVgaM6KqWks74vYxIkqfGCyf31y1N8QrmVCsAC74KFp9rhwP0uHmrN8XUIYFik8MoNphf+2aKWieJdZtzQGQ22mNNKDkP1yX3Uvb1QI+8d770dcIqr61AwkUBQgPgPyeii8W7r2+nq1lNQEnYts0N+13+40lEShnrRtsdKY6diEVs2uQId7VWw04lXOzWGi8oSWlunDWyRCQPtfvBFQtJ8AsivyZjmBuN9VJSDHLY1EQhXayygKfi6u6GKFVLZmd root@ip-10-32-30-193
-----END PUBLIC SSH HOST KEYS-----
And here's an example of what the client system might add to known_hosts:
50.16.12.209,ec2-50-16-12-209.compute-1.amazonaws.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
or with hashing:
|1|q0CnRd/EVpfAXEVMAi7fqx0lFaI=|8BrFOu2+GGRMKDS+1WiVG8xpwt0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: cloud-init 0.6.1-0ubuntu22
ProcVersionSignature: User Name 3.0.0-12.20-virtual 3.0.4
Uname: Linux 3.0.0-12-virtual i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Tue Nov 22 00:12:40 2011
Ec2AMI: ami-a7f539ce
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1a
Ec2InstanceType: m1.small
Ec2Kernel: aki-805ea7e9
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install)
The text was updated successfully, but these errors were encountered: