HostKeys and OSes #13
Description
HostKeys are currently checked to exist, but we don't check versions. As it turns out, there are different default host keys available for old vs new SSH versions. As an example: RedHat/CentOS/Oracle 6.4:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_rsa_key
And moving slightly over, Ubuntu 12.04:
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_rsa_key
We have 2 choices: Either require HostKeys and adopt checking for the different versions and OSes, or ignore this field for hardening. If we support it, we have to make sure we use the correct fields in both puppet and chef as well.
SSH server already does some nice checking when starting to see if the host key is not world-writable. Also, the defaults are sane for all supported operating systems. Imho, unless there is a reason to specify, we should leave it out of integration testing.