SSHbase is a bcfg2 plugin for managing ssh host keys. It is responsible for making ssh keys persist beyond a client rebuild and building a consistent ssh_known_hosts file including all the ssh keys and deploying it across all the systems bcfg2 manages.
SSHbase has two basic functions:
- to generate ssh host keys; if a system has not a key in the repository, it will be generated on its first check-in
- to maintain a consistent ssh_known_hosts file, and deploy it to all systems. This will include all the public keys in the repository.
To enable SSHbase we have to add it to the generators line in the bcfg2 server config, like this:
- the bcfg2 server will need to be restarted to see this change.
Next we need to add configurations entries for /etc/ssh/ssh_known_hosts, and /etc/ssh/ssh_host_dsa_key (or rsa, or both) and add them to a bundle or base. We can put them in Base like this:
1 2 3 4 5 6
or include them in a bundle like this:
1 2 3 4 5 6 7 8
(where we added the rsa keys also). And include the ssh_keys bundle in a Group as needed.
After this any system that will checkin and don’t have its ssh keys in the bcfg2 repo, the bcfg2 server will generate them and put them inside bcfg2/SSHbase/ssh_host_dsa_key.H_
Plugin documentation: http://trac.mcs.anl.gov/projects/bcfg2/wiki/SSHbase