Using the Bcfg2 SSHbase plugin

SSHbase is a bcfg2 plugin for managing ssh host keys. It is responsible for making ssh keys persist beyond a client rebuild and building a consistent ssh_known_hosts file including all the ssh keys and deploying it across all the systems bcfg2 manages.

SSHbase has two basic functions:

• to generate ssh host keys; if a system has not a key in the repository, it will be generated on its first check-in
• to maintain a consistent ssh_known_hosts file, and deploy it to all systems. This will include all the public keys in the repository.

To enable SSHbase we have to add it to the generators line in the bcfg2 server config, like this:

/etc/bcfg2.conf:
generators = SSHbase,TCheetah,Cfg,Pkgmgr,Rules

• the bcfg2 server will need to be restarted to see this change.

Next we need to add configurations entries for /etc/ssh/ssh_known_hosts, and /etc/ssh/ssh_host_dsa_key (or rsa, or both) and add them to a bundle or base. We can put them in Base like this:

Base/ssh_keys.xml
<Base>
	<ConfigFile name='/etc/ssh/ssh_known_hosts'/>
	<ConfigFile name='/etc/ssh/ssh_host_dsa_key'/>
	<ConfigFile name='/etc/ssh/ssh_host_dsa_key.pub'/>
</Base>

or include them in a bundle like this:

Bundler/ssh_keys.xml
<Bundle name='ssh_keys' version='2.0'>
	<ConfigFile name='/etc/ssh/ssh_known_hosts'/>
	<ConfigFile name='/etc/ssh/ssh_host_dsa_key'/>
	<ConfigFile name='/etc/ssh/ssh_host_dsa_key.pub'/>
	<ConfigFile name='/etc/ssh/ssh_host_rsa_key'/>
	<ConfigFile name='/etc/ssh/ssh_host_rsa_key.pub'/>
</Bundle>

(where we added the rsa keys also). And include the ssh_keys bundle in a Group as needed.

After this any system that will checkin and don’t have its ssh keys in the bcfg2 repo, the bcfg2 server will generate them and put them inside bcfg2/SSHbase/ssh_host_dsa_key.H_<HOST> and ssh_host_dsa_key.pub.H_<HOST>, while the ssh_known_hosts file will be generated on the fly from all the existing keys in the repository.

Plugin documentation: http://trac.mcs.anl.gov/projects/bcfg2/wiki/SSHbase