<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>SSHbase — Bcfg2 1.3.0 documentation</title> <link rel="stylesheet" href="../../../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../../', VERSION: '1.3.0', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../../../_static/jquery.js"></script> <script type="text/javascript" src="../../../_static/underscore.js"></script> <script type="text/javascript" src="../../../_static/doctools.js"></script> <script type="text/javascript" src="../../../_static/sidebar.js"></script> <link rel="shortcut icon" href="../../../_static/favicon.ico"/> <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../index.html" /> <link rel="up" title="Plugins" href="../index.html" /> <link rel="next" title="SSLCA" href="sslca.html" /> <link rel="prev" title="SEModules" href="semodules.html" /> <link rel="stylesheet" href="../../../_static/bcfg2.css" type=""/> </head> <body> <div style="text-align: left; padding: 10px 10px 15px 15px"> <a href="../../../index.html"><img src="../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../../genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="../../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="sslca.html" title="SSLCA" accesskey="N">next</a> |</li> <li class="right" > <a href="semodules.html" title="SEModules" accesskey="P">previous</a> |</li> <li><a href="../../../index.html">home</a> | </li> <!--<li><a href="../../../search.html">search</a> | </li>--> <li><a href="../../../help/index.html">help</a> | </li> <li><a href="../../../contents.html">documentation </a> »</li> <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../../index.html" >The Bcfg2 Server</a> »</li> <li><a href="../index.html" accesskey="U">Plugins</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="sshbase"> <span id="server-plugins-generators-sshbase"></span><h1>SSHbase<a class="headerlink" href="#sshbase" title="Permalink to this headline">¶</a></h1> <p>SSHbase is a purpose-built Bcfg2 plugin for managing ssh host keys. It is responsible for making ssh keys persist beyond a client rebuild and building a proper <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file, including a correct localhost record for the current system.</p> <p>It has two functions:</p> <ul class="simple"> <li>Generating new ssh keys – When a client requests a dsa, rsa, or v1 key, and there is no existing key in the repository, one is generated.</li> <li>Maintaining the <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file – all current known public keys (and extra public key stores) are integrated into a single <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file, and a localhost record for the current client is added. The <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file data is updated whenever any keys change, are added, or deleted.</li> </ul> <div class="section" id="interacting-with-sshbase"> <h2>Interacting with SSHbase<a class="headerlink" href="#interacting-with-sshbase" title="Permalink to this headline">¶</a></h2> <ul class="simple"> <li>Pre-seeding with existing keys – Currently existing keys will be overwritten by new, sshbase-managed ones by default. Pre-existing keys can be added to the repository by putting them in <tt class="docutils literal"><span class="pre"><repo>/SSHbase/<key</span> <span class="pre">filename>.H_<hostname></span></tt></li> <li>Pre-seeding can also be performed using <tt class="docutils literal"><span class="pre">bcfg2-admin</span> <span class="pre">pull</span> <span class="pre">ConfigFile</span> <span class="pre">/name/of/ssh/key</span></tt></li> <li>Revoking existing keys – deleting <tt class="docutils literal"><span class="pre"><repo>/SSHbase/\*.H_<hostname></span></tt> will remove keys for an existing client.</li> </ul> </div> <div class="section" id="aliases"> <h2>Aliases<a class="headerlink" href="#aliases" title="Permalink to this headline">¶</a></h2> <p>SSHbase has support for Aliases listed in <a class="reference internal" href="../grouping/metadata.html#server-plugins-grouping-metadata-clients-xml"><em>clients.xml</em></a>. The address for the entries are specified either through DNS (e.g. a CNAME), or via the address attribute to the Alias.</p> </div> <div class="section" id="getting-started"> <h2>Getting started<a class="headerlink" href="#getting-started" title="Permalink to this headline">¶</a></h2> <ol class="arabic simple"> <li>Add SSHbase to the <strong>plugins</strong> line in <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt> and restart the server. This enables the SSHbase plugin on the Bcfg2 server.</li> <li>Add Path entries for <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_known_hosts</span></tt>, <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_host_dsa_key</span></tt>, <tt class="docutils literal"><span class="pre">/etc/ssh/ssh_host_dsa_key.pub</span></tt>, etc., to a bundle.</li> <li>Enjoy.</li> </ol> <p>At this point, SSHbase will generate new keys for any client without a recorded key in the repository, and will generate an <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file appropriately.</p> </div> <div class="section" id="supported-key-formats"> <h2>Supported key formats<a class="headerlink" href="#supported-key-formats" title="Permalink to this headline">¶</a></h2> <p>SSHbase currently supports the following key formats:</p> <ul class="simple"> <li>RSA1 (<tt class="docutils literal"><span class="pre">ssh_host_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_key.pub</span></tt>)</li> <li>RSA2 (<tt class="docutils literal"><span class="pre">ssh_host_rsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_rsa_key.pub</span></tt>)</li> <li>DSA (<tt class="docutils literal"><span class="pre">ssh_host_dsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_dsa_key.pub</span></tt>)</li> <li>ECDSA (<tt class="docutils literal"><span class="pre">ssh_host_ecdsa_key</span></tt>, <tt class="docutils literal"><span class="pre">ssh_host_ecdsa_key.pub</span></tt>)</li> </ul> </div> <div class="section" id="group-specific-keys"> <h2>Group-specific keys<a class="headerlink" href="#group-specific-keys" title="Permalink to this headline">¶</a></h2> <p class="versionadded"> <span class="versionmodified">New in version 1.2.0.</span></p> <p>In addition to host-specific keys, SSHbase also supports group-specific keys, e.g., for a high-availability cluster or similar application. Group-specific keys must be pre-seeded; SSHbase cannot create group-specific keys itself.</p> <p>To use group-specific keys, simply create <tt class="docutils literal"><span class="pre">SSHbase/<key</span> <span class="pre">filename>.Gxx_<group</span> <span class="pre">name></span></tt>. For instance, <tt class="docutils literal"><span class="pre">ssh_host_dsa_key.pub.G65_foo-cluster</span></tt>.</p> </div> <div class="section" id="adding-public-keys-for-unmanaged-hosts"> <h2>Adding public keys for unmanaged hosts<a class="headerlink" href="#adding-public-keys-for-unmanaged-hosts" title="Permalink to this headline">¶</a></h2> <p>If you have some hosts which are not managed by Bcfg2, but you would still like to have their public ssh keys available in <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt>, you can add their public keys to the <tt class="docutils literal"><span class="pre">SSHbase</span></tt> directory with a <em>.static</em> ending.</p> <p>Example:</p> <p><tt class="docutils literal"><span class="pre">a.static</span></tt>:</p> <div class="highlight-python"><div class="highlight"><pre><span class="n">TEST1</span> </pre></div> </div> <p><tt class="docutils literal"><span class="pre">b.static</span></tt>:</p> <div class="highlight-python"><div class="highlight"><pre><span class="n">TEST2</span> </pre></div> </div> <p>The generated <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file:</p> <div class="highlight-python"><div class="highlight"><pre><span class="n">TEST1</span> <span class="n">TEST2</span> </pre></div> </div> </div> <div class="section" id="static-ssh-known-hosts-file"> <h2>Static ssh_known_hosts file<a class="headerlink" href="#static-ssh-known-hosts-file" title="Permalink to this headline">¶</a></h2> <p class="versionadded"> <span class="versionmodified">New in version 1.2.0.</span></p> <p>You can also distribute a fully static <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file on a per-host or per-group basis by creating <tt class="docutils literal"><span class="pre">SSHbase/ssh_known_hosts.H_<hostname></span></tt> or <tt class="docutils literal"><span class="pre">SSHbase/ssh_known_hosts.Gxx_<group</span> <span class="pre">name></span></tt>. Those files will be entirely static; Bcfg2 will not add any host keys to them itself.</p> </div> <div class="section" id="permissions-and-metadata"> <h2>Permissions and Metadata<a class="headerlink" href="#permissions-and-metadata" title="Permalink to this headline">¶</a></h2> <p class="versionadded"> <span class="versionmodified">New in version 1.2.0.</span></p> <p>SSHbase supports use of an <a class="reference internal" href="../../info.html#server-info"><em>info.xml</em></a> file to control the permissions and other metadata for the keys and <tt class="docutils literal"><span class="pre">ssh_known_hosts</span></tt> file. You can use the <tt class="docutils literal"><span class="pre"><Path></span></tt> directive in <tt class="docutils literal"><span class="pre">info.xml</span></tt> to change the metadata for different keys, e.g.:</p> <div class="highlight-python"><pre><FileInfo> <Path name="/etc/ssh/ssh_host_dsa_key"> <Info owner="root" group="wheel" mode="0660"/> </Path> <Path name="/etc/ssh/ssh_host_dsa_key.pub"> <Info owner="root" group="wheel" mode="0664"/> </Path> </FileInfo></pre> </div> <p>Default permissions are as follows:</p> <table border="1" class="docutils"> <colgroup> <col width="40%" /> <col width="8%" /> <col width="8%" /> <col width="7%" /> <col width="13%" /> <col width="12%" /> <col width="12%" /> </colgroup> <thead valign="bottom"> <tr class="row-odd"><th class="head">File</th> <th class="head">owner</th> <th class="head">group</th> <th class="head">mode</th> <th class="head">sensitive</th> <th class="head">paranoid</th> <th class="head">encoding</th> </tr> </thead> <tbody valign="top"> <tr class="row-even"><td>ssh_known_hosts</td> <td>root</td> <td>root</td> <td>0644</td> <td>false</td> <td>false</td> <td>None</td> </tr> <tr class="row-odd"><td>ssh_host_key</td> <td>root</td> <td>root</td> <td>0600</td> <td>false</td> <td>false</td> <td>base64</td> </tr> <tr class="row-even"><td>ssh_host_key.pub</td> <td>root</td> <td>root</td> <td>0644</td> <td>false</td> <td>false</td> <td>base64</td> </tr> <tr class="row-odd"><td>ssh_host_[rsa|dsa|ecdsa]_key</td> <td>root</td> <td>root</td> <td>0600</td> <td>false</td> <td>false</td> <td>None</td> </tr> <tr class="row-even"><td>ssh_host_[rsa|dsa|ecdsa]_key.pub</td> <td>root</td> <td>root</td> <td>0644</td> <td>false</td> <td>false</td> <td>None</td> </tr> </tbody> </table> <p>Note that the <tt class="docutils literal"><span class="pre">sensitive</span></tt> attribute is false, even for private keys, in order to permit <a class="reference internal" href="../../admin/pull.html#server-admin-pull"><em>pulling with bcfg2-admin</em></a>. You should almost certainly set <tt class="docutils literal"><span class="pre">sensitive</span></tt> to “true” in <tt class="docutils literal"><span class="pre">info.xml</span></tt>.</p> </div> <div class="section" id="blog-post"> <h2>Blog post<a class="headerlink" href="#blog-post" title="Permalink to this headline">¶</a></h2> <p><a class="reference external" href="http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/">http://www.ducea.com/2008/08/24/using-the-bcfg2-sshbase-plugin/</a></p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">The linked post uses deprecated ConfigFile entries. Path entries have since replaced these. See <a class="reference internal" href="../../configurationentries.html#server-configurationentries"><em>Configuration Entries</em></a>.</p> </div> </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../../../index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">SSHbase</a><ul> <li><a class="reference internal" href="#interacting-with-sshbase">Interacting with SSHbase</a></li> <li><a class="reference internal" href="#aliases">Aliases</a></li> <li><a class="reference internal" href="#getting-started">Getting started</a></li> <li><a class="reference internal" href="#supported-key-formats">Supported key formats</a></li> <li><a class="reference internal" href="#group-specific-keys">Group-specific keys</a></li> <li><a class="reference internal" href="#adding-public-keys-for-unmanaged-hosts">Adding public keys for unmanaged hosts</a></li> <li><a class="reference internal" href="#static-ssh-known-hosts-file">Static ssh_known_hosts file</a></li> <li><a class="reference internal" href="#permissions-and-metadata">Permissions and Metadata</a></li> <li><a class="reference internal" href="#blog-post">Blog post</a></li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="semodules.html" title="previous chapter">SEModules</a></p> <h4>Next topic</h4> <p class="topless"><a href="sslca.html" title="next chapter">SSLCA</a></p> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../../../_sources/server/plugins/generators/sshbase.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../../../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../../genindex.html" title="General Index" >index</a></li> <li class="right" > <a href="../../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="sslca.html" title="SSLCA" >next</a> |</li> <li class="right" > <a href="semodules.html" title="SEModules" >previous</a> |</li> <li><a href="../../../index.html">home</a> | </li> <!--<li><a href="../../../search.html">search</a> | </li>--> <li><a href="../../../help/index.html">help</a> | </li> <li><a href="../../../contents.html">documentation </a> »</li> <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../../index.html" >The Bcfg2 Server</a> »</li> <li><a href="../index.html" >Plugins</a> »</li> </ul> </div> <div class="footer"> © Copyright 2009-2013, Narayan Desai. Last updated on Mar 20, 2013. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3. </div> </body> </html>