Sophie

Sophie

distrib > Fedora > 17 > i386 > media > updates > by-pkgid > b50d8ee6d7871fcc13c0677a9364ed59 > files > 468

bcfg2-doc-1.3.0-1.fc17.noarch.rpm



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>SSHbase &mdash; Bcfg2 1.3.0 documentation</title>
    
    <link rel="stylesheet" href="../../../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../../../',
        VERSION:     '1.3.0',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../../../_static/jquery.js"></script>
    <script type="text/javascript" src="../../../_static/underscore.js"></script>
    <script type="text/javascript" src="../../../_static/doctools.js"></script>
    <script type="text/javascript" src="../../../_static/sidebar.js"></script>
    <link rel="shortcut icon" href="../../../_static/favicon.ico"/>
    <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../index.html" />
    <link rel="up" title="Plugins" href="../index.html" />
    <link rel="next" title="SSLCA" href="sslca.html" />
    <link rel="prev" title="SEModules" href="semodules.html" />
 
<link rel="stylesheet" href="../../../_static/bcfg2.css" type=""/>

  </head>
  <body>

<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../../index.html"><img src="../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>

    <div class="related">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../../genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="../../../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="sslca.html" title="SSLCA"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="semodules.html" title="SEModules"
             accesskey="P">previous</a> |</li>
	<li><a href="../../../index.html">home</a> |&nbsp;</li>
	<!--<li><a href="../../../search.html">search</a> |&nbsp;</li>-->
	<li><a href="../../../help/index.html">help</a> |&nbsp;</li>
	<li><a href="../../../contents.html">documentation </a> &raquo;</li>

          <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> &raquo;</li>
          <li><a href="../../index.html" >The Bcfg2 Server</a> &raquo;</li>
          <li><a href="../index.html" accesskey="U">Plugins</a> &raquo;</li> 
      </ul>
    </div>
  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body">
            
  <div class="section" id="sshbase">
<span id="server-plugins-generators-sshbase"></span><h1>SSHbase<a class="headerlink" href="#sshbase" title="Permalink to this headline">¶</a></h1>
<p>SSHbase is a purpose-built Bcfg2 plugin for managing ssh host keys. It
is responsible for making ssh keys persist beyond a client rebuild and
building a proper <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file, including a correct localhost
record for the current system.</p>
<p>It has two functions:</p>
<ul class="simple">
<li>Generating new ssh keys &#8211; When a client requests a dsa, rsa, or v1 key,
and there is no existing key in the repository, one is generated.</li>
<li>Maintaining the <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file &#8211; all current known public
keys (and extra public key stores) are integrated into a single
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file, and a localhost record for the current client
is added. The <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file data is updated whenever any
keys change, are added, or deleted.</li>
</ul>
<div class="section" id="interacting-with-sshbase">
<h2>Interacting with SSHbase<a class="headerlink" href="#interacting-with-sshbase" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Pre-seeding with existing keys &#8211; Currently existing keys will be
overwritten by new, sshbase-managed ones by default. Pre-existing
keys can be added to the repository by putting them in
<tt class="docutils literal"><span class="pre">&lt;repo&gt;/SSHbase/&lt;key</span> <span class="pre">filename&gt;.H_&lt;hostname&gt;</span></tt></li>
<li>Pre-seeding can also be performed using <tt class="docutils literal"><span class="pre">bcfg2-admin</span> <span class="pre">pull</span>
<span class="pre">ConfigFile</span> <span class="pre">/name/of/ssh/key</span></tt></li>
<li>Revoking existing keys &#8211; deleting
<tt class="docutils literal"><span class="pre">&lt;repo&gt;/SSHbase/\*.H_&lt;hostname&gt;</span></tt> will remove keys for an existing
client.</li>
</ul>
</div>
<div class="section" id="aliases">
<h2>Aliases<a class="headerlink" href="#aliases" title="Permalink to this headline">¶</a></h2>
<p>SSHbase has support for Aliases listed in <a class="reference internal" href="../grouping/metadata.html#server-plugins-grouping-metadata-clients-xml"><em>clients.xml</em></a>. The address for the
entries are specified either through DNS (e.g. a CNAME), or via the
address attribute to the Alias.</p>
</div>
<div class="section" id="getting-started">
<h2>Getting started<a class="headerlink" href="#getting-started" title="Permalink to this headline">¶</a></h2>
<ol class="arabic simple">
<li>Add SSHbase to the <strong>plugins</strong> line in <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> and
restart the server. This enables the SSHbase plugin on the Bcfg2
server.</li>
<li>Add Path entries for <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_known_hosts</span></tt>,
<tt class="docutils literal"><span class="pre">/etc/ssh/ssh_host_dsa_key</span></tt>, <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_host_dsa_key.pub</span></tt>,
etc., to a bundle.</li>
<li>Enjoy.</li>
</ol>
<p>At this point, SSHbase will generate new keys for any client without
a recorded key in the repository, and will generate an
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file appropriately.</p>
</div>
<div class="section" id="supported-key-formats">
<h2>Supported key formats<a class="headerlink" href="#supported-key-formats" title="Permalink to this headline">¶</a></h2>
<p>SSHbase currently supports the following key formats:</p>
<ul class="simple">
<li>RSA1 (<tt class="docutils literal"><span class="pre">ssh_host_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_key.pub</span></tt>)</li>
<li>RSA2 (<tt class="docutils literal"><span class="pre">ssh_host_rsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_rsa_key.pub</span></tt>)</li>
<li>DSA (<tt class="docutils literal"><span class="pre">ssh_host_dsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_dsa_key.pub</span></tt>)</li>
<li>ECDSA (<tt class="docutils literal"><span class="pre">ssh_host_ecdsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_ecdsa_key.pub</span></tt>)</li>
</ul>
</div>
<div class="section" id="group-specific-keys">
<h2>Group-specific keys<a class="headerlink" href="#group-specific-keys" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.2.0.</span></p>
<p>In addition to host-specific keys, SSHbase also supports
group-specific keys, e.g., for a high-availability cluster or similar
application.  Group-specific keys must be pre-seeded; SSHbase cannot
create group-specific keys itself.</p>
<p>To use group-specific keys, simply create <tt class="docutils literal"><span class="pre">SSHbase/&lt;key</span>
<span class="pre">filename&gt;.Gxx_&lt;group</span> <span class="pre">name&gt;</span></tt>.  For instance,
<tt class="docutils literal"><span class="pre">ssh_host_dsa_key.pub.G65_foo-cluster</span></tt>.</p>
</div>
<div class="section" id="adding-public-keys-for-unmanaged-hosts">
<h2>Adding public keys for unmanaged hosts<a class="headerlink" href="#adding-public-keys-for-unmanaged-hosts" title="Permalink to this headline">¶</a></h2>
<p>If you have some hosts which are not managed by Bcfg2, but you would
still like to have their public ssh keys available in
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt>, you can add their public keys to the <tt class="docutils literal"><span class="pre">SSHbase</span></tt>
directory with a <em>.static</em> ending.</p>
<p>Example:</p>
<p><tt class="docutils literal"><span class="pre">a.static</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">TEST1</span>
</pre></div>
</div>
<p><tt class="docutils literal"><span class="pre">b.static</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">TEST2</span>
</pre></div>
</div>
<p>The generated <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">TEST1</span>
<span class="n">TEST2</span>
</pre></div>
</div>
</div>
<div class="section" id="static-ssh-known-hosts-file">
<h2>Static ssh_known_hosts file<a class="headerlink" href="#static-ssh-known-hosts-file" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.2.0.</span></p>
<p>You can also distribute a fully static <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file on a
per-host or per-group basis by creating
<tt class="docutils literal"><span class="pre">SSHbase/ssh_known_hosts.H_&lt;hostname&gt;</span></tt> or
<tt class="docutils literal"><span class="pre">SSHbase/ssh_known_hosts.Gxx_&lt;group</span> <span class="pre">name&gt;</span></tt>.  Those files will be
entirely static; Bcfg2 will not add any host keys to them itself.</p>
</div>
<div class="section" id="permissions-and-metadata">
<h2>Permissions and Metadata<a class="headerlink" href="#permissions-and-metadata" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.2.0.</span></p>
<p>SSHbase supports use of an <a class="reference internal" href="../../info.html#server-info"><em>info.xml</em></a> file to
control the permissions and other metadata for the keys and
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file.  You can use the <tt class="docutils literal"><span class="pre">&lt;Path&gt;</span></tt> directive in
<tt class="docutils literal"><span class="pre">info.xml</span></tt> to change the metadata for different keys, e.g.:</p>
<div class="highlight-python"><pre>&lt;FileInfo&gt;
  &lt;Path name="/etc/ssh/ssh_host_dsa_key"&gt;
    &lt;Info owner="root" group="wheel" mode="0660"/&gt;
  &lt;/Path&gt;
  &lt;Path name="/etc/ssh/ssh_host_dsa_key.pub"&gt;
    &lt;Info owner="root" group="wheel" mode="0664"/&gt;
  &lt;/Path&gt;
&lt;/FileInfo&gt;</pre>
</div>
<p>Default permissions are as follows:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="8%" />
<col width="8%" />
<col width="7%" />
<col width="13%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">File</th>
<th class="head">owner</th>
<th class="head">group</th>
<th class="head">mode</th>
<th class="head">sensitive</th>
<th class="head">paranoid</th>
<th class="head">encoding</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>ssh_known_hosts</td>
<td>root</td>
<td>root</td>
<td>0644</td>
<td>false</td>
<td>false</td>
<td>None</td>
</tr>
<tr class="row-odd"><td>ssh_host_key</td>
<td>root</td>
<td>root</td>
<td>0600</td>
<td>false</td>
<td>false</td>
<td>base64</td>
</tr>
<tr class="row-even"><td>ssh_host_key.pub</td>
<td>root</td>
<td>root</td>
<td>0644</td>
<td>false</td>
<td>false</td>
<td>base64</td>
</tr>
<tr class="row-odd"><td>ssh_host_[rsa|dsa|ecdsa]_key</td>
<td>root</td>
<td>root</td>
<td>0600</td>
<td>false</td>
<td>false</td>
<td>None</td>
</tr>
<tr class="row-even"><td>ssh_host_[rsa|dsa|ecdsa]_key.pub</td>
<td>root</td>
<td>root</td>
<td>0644</td>
<td>false</td>
<td>false</td>
<td>None</td>
</tr>
</tbody>
</table>
<p>Note that the <tt class="docutils literal"><span class="pre">sensitive</span></tt> attribute is false, even for private keys,
in order to permit <a class="reference internal" href="../../admin/pull.html#server-admin-pull"><em>pulling with bcfg2-admin</em></a>.  You should almost certainly set <tt class="docutils literal"><span class="pre">sensitive</span></tt>
to &#8220;true&#8221; in <tt class="docutils literal"><span class="pre">info.xml</span></tt>.</p>
</div>
<div class="section" id="blog-post">
<h2>Blog post<a class="headerlink" href="#blog-post" title="Permalink to this headline">¶</a></h2>
<p><a class="reference external" href="http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/">http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/</a></p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The linked post uses deprecated ConfigFile entries. Path entries
have since replaced these. See <a class="reference internal" href="../../configurationentries.html#server-configurationentries"><em>Configuration Entries</em></a>.</p>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../../../index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">SSHbase</a><ul>
<li><a class="reference internal" href="#interacting-with-sshbase">Interacting with SSHbase</a></li>
<li><a class="reference internal" href="#aliases">Aliases</a></li>
<li><a class="reference internal" href="#getting-started">Getting started</a></li>
<li><a class="reference internal" href="#supported-key-formats">Supported key formats</a></li>
<li><a class="reference internal" href="#group-specific-keys">Group-specific keys</a></li>
<li><a class="reference internal" href="#adding-public-keys-for-unmanaged-hosts">Adding public keys for unmanaged hosts</a></li>
<li><a class="reference internal" href="#static-ssh-known-hosts-file">Static ssh_known_hosts file</a></li>
<li><a class="reference internal" href="#permissions-and-metadata">Permissions and Metadata</a></li>
<li><a class="reference internal" href="#blog-post">Blog post</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="semodules.html"
                        title="previous chapter">SEModules</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="sslca.html"
                        title="next chapter">SSLCA</a></p>
  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../../../_sources/server/plugins/generators/sshbase.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../../../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../../genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="../../../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="sslca.html" title="SSLCA"
             >next</a> |</li>
        <li class="right" >
          <a href="semodules.html" title="SEModules"
             >previous</a> |</li>
	<li><a href="../../../index.html">home</a> |&nbsp;</li>
	<!--<li><a href="../../../search.html">search</a> |&nbsp;</li>-->
	<li><a href="../../../help/index.html">help</a> |&nbsp;</li>
	<li><a href="../../../contents.html">documentation </a> &raquo;</li>

          <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> &raquo;</li>
          <li><a href="../../index.html" >The Bcfg2 Server</a> &raquo;</li>
          <li><a href="../index.html" >Plugins</a> &raquo;</li> 
      </ul>
    </div>
    <div class="footer">
        &copy; Copyright 2009-2013, Narayan Desai.
      Last updated on Mar 20, 2013.
      Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
    </div>
  </body>
</html>