<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SSHbase — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../../../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../../../_static/jquery.js"></script>
<script type="text/javascript" src="../../../_static/underscore.js"></script>
<script type="text/javascript" src="../../../_static/doctools.js"></script>
<script type="text/javascript" src="../../../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../../../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../index.html" />
<link rel="up" title="Plugins" href="../index.html" />
<link rel="next" title="SSLCA" href="sslca.html" />
<link rel="prev" title="SEModules" href="semodules.html" />
<link rel="stylesheet" href="../../../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../../index.html"><img src="../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="sslca.html" title="SSLCA"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="semodules.html" title="SEModules"
accesskey="P">previous</a> |</li>
<li><a href="../../../index.html">home</a> | </li>
<!--<li><a href="../../../search.html">search</a> | </li>-->
<li><a href="../../../help/index.html">help</a> | </li>
<li><a href="../../../contents.html">documentation </a> »</li>
<li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../../index.html" >The Bcfg2 Server</a> »</li>
<li><a href="../index.html" accesskey="U">Plugins</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="sshbase">
<span id="server-plugins-generators-sshbase"></span><h1>SSHbase<a class="headerlink" href="#sshbase" title="Permalink to this headline">¶</a></h1>
<p>SSHbase is a purpose-built Bcfg2 plugin for managing ssh host keys. It
is responsible for making ssh keys persist beyond a client rebuild and
building a proper <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file, including a correct localhost
record for the current system.</p>
<p>It has two functions:</p>
<ul class="simple">
<li>Generating new ssh keys – When a client requests a dsa, rsa, or v1 key,
and there is no existing key in the repository, one is generated.</li>
<li>Maintaining the <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file – all current known public
keys (and extra public key stores) are integrated into a single
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file, and a localhost record for the current client
is added. The <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file data is updated whenever any
keys change, are added, or deleted.</li>
</ul>
<div class="section" id="interacting-with-sshbase">
<h2>Interacting with SSHbase<a class="headerlink" href="#interacting-with-sshbase" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Pre-seeding with existing keys – Currently existing keys will be
overwritten by new, sshbase-managed ones by default. Pre-existing
keys can be added to the repository by putting them in
<tt class="docutils literal"><span class="pre"><repo>/SSHbase/<key</span> <span class="pre">filename>.H_<hostname></span></tt></li>
<li>Pre-seeding can also be performed using <tt class="docutils literal"><span class="pre">bcfg2-admin</span> <span class="pre">pull</span>
<span class="pre">ConfigFile</span> <span class="pre">/name/of/ssh/key</span></tt></li>
<li>Revoking existing keys – deleting
<tt class="docutils literal"><span class="pre"><repo>/SSHbase/\*.H_<hostname></span></tt> will remove keys for an existing
client.</li>
</ul>
</div>
<div class="section" id="aliases">
<h2>Aliases<a class="headerlink" href="#aliases" title="Permalink to this headline">¶</a></h2>
<p>SSHbase has support for Aliases listed in <a class="reference internal" href="../grouping/metadata.html#server-plugins-grouping-metadata-clients-xml"><em>clients.xml</em></a>. The address for the
entries are specified either through DNS (e.g. a CNAME), or via the
address attribute to the Alias.</p>
</div>
<div class="section" id="getting-started">
<h2>Getting started<a class="headerlink" href="#getting-started" title="Permalink to this headline">¶</a></h2>
<ol class="arabic simple">
<li>Add SSHbase to the <strong>plugins</strong> line in <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> and
restart the server. This enables the SSHbase plugin on the Bcfg2
server.</li>
<li>Add Path entries for <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_known_hosts</span></tt>,
<tt class="docutils literal"><span class="pre">/etc/ssh/ssh_host_dsa_key</span></tt>, <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_host_dsa_key.pub</span></tt>,
etc., to a bundle.</li>
<li>Enjoy.</li>
</ol>
<p>At this point, SSHbase will generate new keys for any client without
a recorded key in the repository, and will generate an
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file appropriately.</p>
</div>
<div class="section" id="supported-key-formats">
<h2>Supported key formats<a class="headerlink" href="#supported-key-formats" title="Permalink to this headline">¶</a></h2>
<p>SSHbase currently supports the following key formats:</p>
<ul class="simple">
<li>RSA1 (<tt class="docutils literal"><span class="pre">ssh_host_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_key.pub</span></tt>)</li>
<li>RSA2 (<tt class="docutils literal"><span class="pre">ssh_host_rsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_rsa_key.pub</span></tt>)</li>
<li>DSA (<tt class="docutils literal"><span class="pre">ssh_host_dsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_dsa_key.pub</span></tt>)</li>
<li>ECDSA (<tt class="docutils literal"><span class="pre">ssh_host_ecdsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_ecdsa_key.pub</span></tt>)</li>
</ul>
</div>
<div class="section" id="group-specific-keys">
<h2>Group-specific keys<a class="headerlink" href="#group-specific-keys" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.2.0.</span></p>
<p>In addition to host-specific keys, SSHbase also supports
group-specific keys, e.g., for a high-availability cluster or similar
application. Group-specific keys must be pre-seeded; SSHbase cannot
create group-specific keys itself.</p>
<p>To use group-specific keys, simply create <tt class="docutils literal"><span class="pre">SSHbase/<key</span>
<span class="pre">filename>.Gxx_<group</span> <span class="pre">name></span></tt>. For instance,
<tt class="docutils literal"><span class="pre">ssh_host_dsa_key.pub.G65_foo-cluster</span></tt>.</p>
</div>
<div class="section" id="adding-public-keys-for-unmanaged-hosts">
<h2>Adding public keys for unmanaged hosts<a class="headerlink" href="#adding-public-keys-for-unmanaged-hosts" title="Permalink to this headline">¶</a></h2>
<p>If you have some hosts which are not managed by Bcfg2, but you would
still like to have their public ssh keys available in
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt>, you can add their public keys to the <tt class="docutils literal"><span class="pre">SSHbase</span></tt>
directory with a <em>.static</em> ending.</p>
<p>Example:</p>
<p><tt class="docutils literal"><span class="pre">a.static</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">TEST1</span>
</pre></div>
</div>
<p><tt class="docutils literal"><span class="pre">b.static</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">TEST2</span>
</pre></div>
</div>
<p>The generated <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">TEST1</span>
<span class="n">TEST2</span>
</pre></div>
</div>
</div>
<div class="section" id="static-ssh-known-hosts-file">
<h2>Static ssh_known_hosts file<a class="headerlink" href="#static-ssh-known-hosts-file" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.2.0.</span></p>
<p>You can also distribute a fully static <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file on a
per-host or per-group basis by creating
<tt class="docutils literal"><span class="pre">SSHbase/ssh_known_hosts.H_<hostname></span></tt> or
<tt class="docutils literal"><span class="pre">SSHbase/ssh_known_hosts.Gxx_<group</span> <span class="pre">name></span></tt>. Those files will be
entirely static; Bcfg2 will not add any host keys to them itself.</p>
</div>
<div class="section" id="permissions-and-metadata">
<h2>Permissions and Metadata<a class="headerlink" href="#permissions-and-metadata" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.2.0.</span></p>
<p>SSHbase supports use of an <a class="reference internal" href="../../info.html#server-info"><em>info.xml</em></a> file to
control the permissions and other metadata for the keys and
<tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file. You can use the <tt class="docutils literal"><span class="pre"><Path></span></tt> directive in
<tt class="docutils literal"><span class="pre">info.xml</span></tt> to change the metadata for different keys, e.g.:</p>
<div class="highlight-python"><pre><FileInfo>
<Path name="/etc/ssh/ssh_host_dsa_key">
<Info owner="root" group="wheel" mode="0660"/>
</Path>
<Path name="/etc/ssh/ssh_host_dsa_key.pub">
<Info owner="root" group="wheel" mode="0664"/>
</Path>
</FileInfo></pre>
</div>
<p>Default permissions are as follows:</p>
<table border="1" class="docutils">
<colgroup>
<col width="40%" />
<col width="8%" />
<col width="8%" />
<col width="7%" />
<col width="13%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">File</th>
<th class="head">owner</th>
<th class="head">group</th>
<th class="head">mode</th>
<th class="head">sensitive</th>
<th class="head">paranoid</th>
<th class="head">encoding</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>ssh_known_hosts</td>
<td>root</td>
<td>root</td>
<td>0644</td>
<td>false</td>
<td>false</td>
<td>None</td>
</tr>
<tr class="row-odd"><td>ssh_host_key</td>
<td>root</td>
<td>root</td>
<td>0600</td>
<td>false</td>
<td>false</td>
<td>base64</td>
</tr>
<tr class="row-even"><td>ssh_host_key.pub</td>
<td>root</td>
<td>root</td>
<td>0644</td>
<td>false</td>
<td>false</td>
<td>base64</td>
</tr>
<tr class="row-odd"><td>ssh_host_[rsa|dsa|ecdsa]_key</td>
<td>root</td>
<td>root</td>
<td>0600</td>
<td>false</td>
<td>false</td>
<td>None</td>
</tr>
<tr class="row-even"><td>ssh_host_[rsa|dsa|ecdsa]_key.pub</td>
<td>root</td>
<td>root</td>
<td>0644</td>
<td>false</td>
<td>false</td>
<td>None</td>
</tr>
</tbody>
</table>
<p>Note that the <tt class="docutils literal"><span class="pre">sensitive</span></tt> attribute is false, even for private keys,
in order to permit <a class="reference internal" href="../../admin/pull.html#server-admin-pull"><em>pulling with bcfg2-admin</em></a>. You should almost certainly set <tt class="docutils literal"><span class="pre">sensitive</span></tt>
to “true” in <tt class="docutils literal"><span class="pre">info.xml</span></tt>.</p>
</div>
<div class="section" id="blog-post">
<h2>Blog post<a class="headerlink" href="#blog-post" title="Permalink to this headline">¶</a></h2>
<p><a class="reference external" href="http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/">http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/</a></p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The linked post uses deprecated ConfigFile entries. Path entries
have since replaced these. See <a class="reference internal" href="../../configurationentries.html#server-configurationentries"><em>Configuration Entries</em></a>.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../../../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">SSHbase</a><ul>
<li><a class="reference internal" href="#interacting-with-sshbase">Interacting with SSHbase</a></li>
<li><a class="reference internal" href="#aliases">Aliases</a></li>
<li><a class="reference internal" href="#getting-started">Getting started</a></li>
<li><a class="reference internal" href="#supported-key-formats">Supported key formats</a></li>
<li><a class="reference internal" href="#group-specific-keys">Group-specific keys</a></li>
<li><a class="reference internal" href="#adding-public-keys-for-unmanaged-hosts">Adding public keys for unmanaged hosts</a></li>
<li><a class="reference internal" href="#static-ssh-known-hosts-file">Static ssh_known_hosts file</a></li>
<li><a class="reference internal" href="#permissions-and-metadata">Permissions and Metadata</a></li>
<li><a class="reference internal" href="#blog-post">Blog post</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="semodules.html"
title="previous chapter">SEModules</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="sslca.html"
title="next chapter">SSLCA</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../../_sources/server/plugins/generators/sshbase.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../../../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="sslca.html" title="SSLCA"
>next</a> |</li>
<li class="right" >
<a href="semodules.html" title="SEModules"
>previous</a> |</li>
<li><a href="../../../index.html">home</a> | </li>
<!--<li><a href="../../../search.html">search</a> | </li>-->
<li><a href="../../../help/index.html">help</a> | </li>
<li><a href="../../../contents.html">documentation </a> »</li>
<li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../../index.html" >The Bcfg2 Server</a> »</li>
<li><a href="../index.html" >Plugins</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
468
