The Chef ssh_known_hosts cookbook exposes an LWRP and default recipe for adding hosts and keys to the /etc/ssh_known_hosts file.
- The default recipe builds
/etc/ssh/known_hostsbased on search indexes and ohai data. - The LWRP provides a way to add custom entries in your own recipes.
You can also optionally put other host keys in a data bag called "ssh_known_hosts". See below for details.
- An operating system that supports
/etc/ssh/ssh_known_hosts - (Chef Search is required for the default recipe, but not the LWRP)
Use the LWRP ssh_known_hosts_entry to append an entry for the
specified host in /etc/ssh/ssh_known_hosts. For example:
ssh_known_hosts_entry 'github.com'This will append an entry in /etc/ssh/ssh_known_hosts like this:
# github.com SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1+github8
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
You can optionally specify your own key, if you don't want to use ssh-keyscan:
ssh_known_hosts_entry 'github.com' do
key 'node.example.com ssh-rsa ...'
end| Attribute | Description | Example | Default |
|---|---|---|---|
| host | the host to add | github.com | |
| key | (optional) provide your own key | ssh-rsa ... | ssh-keyscan -H #{host} |
Searches the Chef Server for all hosts that have SSH host keys and generates an /etc/ssh/ssh_known_hosts.
There are two ways to add custom host keys. You can either use the provided LWRP (see above), or by creating a data bag called "ssh_known_hosts" and adding an item for each host:
{
"id": "github",
"fqdn": "github.com",
"rsa": "github-rsa-host-key"
}There are additional optional values you may use in the data bag:
| Attribute | Description | Example | Default |
|---|---|---|---|
| id | a unique id for this data bag entry | github | |
| fqdn | the fqdn of the host | github.com | |
| rsa | the rsa key for this server | ssh-rsa AAAAB3... | |
| ipaddress | the ipaddress of the node (if fqdn is missing) | 1.1.1.1 | |
| hostname | local hostname of the server (if not a fqdn) | myserver.local | |
| dsa | the dsa key for this server | ssh-dsa ABAAC3... |
- Author:: Scott M. Likens (scott@likens.us)
- Author:: Seth Vargo (sethvargo@gmail.com)
Copyright:: 2011-2013, Opscode, Inc
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.