General idea: automate this to the greatest extent possible. Run ssh-keyscan for each host you want to access and store in files named after the host.
Original tree:
/path/to/known-hosts-repo +--admin | +--build | +--clean | +--inst | +--update | +--UTIL | +--src | +--DIVIDER | +--FOOTER | +--HEADER.in | +--HOSTS
This is just a demo -- I only have two hosts, but it works in places with more.
First, add the systems you're interested in to src/HOSTS:
me% cat src/HOSTS furbag hairball Hosts and servers that should share basic SSH key information. Revision: 1.5 $ $Date: 2024-06-22 03:23:06-04 $ Source: /path/to/known-hosts/repo/src/RCS/HOSTS,v $ Host: furbag $ UUID: 7f0fd58d-4081-314c-92dc-0f88afed4226 $
I use RCS 'cuz I'm old, season to taste.
me% cd admin me% ./update furbag,192.168.48.2: updated RCS/furbag,v <-- furbag initial revision: 1.1 done RCS/furbag,v --> furbag revision 1.1 done hairball,192.168.48.1: updated RCS/hairball,v <-- hairball initial revision: 1.1 done RCS/hairball,v --> hairball revision 1.1 done
New files created under src:
+--src | +--furbag | +--hairball | +--RCS | | +--furbag,v | | +--hairball,v
They hold the output from ssh-keyscan:
me% cat ../src/furbag # furbag:22 SSH-2.0-OpenSSH_9.4 furbag,192.168.48.2 ssh-ed25519 AAAAC3NzaC1za[...]jWj2Cl9hrN furbag,192.168.48.2 ssh-rsa AAAAB3NzaC1yc2EA[...]0eJCUCD3A/h8= me% cat ../src/hairball # hairball:22 SSH-2.0-OpenSSH_9.3 FreeBSD-20230719 hairball,192.168.48.1 ssh-ed25519 AAAAC3NzaC1lZ[...]gvZwkWozA hairball,192.168.48.1 ssh-rsa AAAAB3NzaC1yc2EA[...]z1sKuA6lCE=
Run "build" to create a HEADER, and add it plus a FOOTER to make a new known_hosts file.
I want the checkin identifier to change when anything in the contents changes; the most consistent way is to change the RCS info in HEADER when any/all of the key-files are changed. Add a HEADER line to hold a SHA1 sum for all the key files and recompute it whenever we change something.
me% pwd /path/to/known-hosts-repo/admin me% ./build RCS/HEADER,v <-- HEADER new revision: 2.3; previous revision: 2.2 done RCS/HEADER,v --> HEADER revision 2.3 done me% cat ssh_known_hosts # Revision: 2.3 $ # Source: /path/to/known-hosts/repo/src/RCS/HEADER,v $ # Host: furbag.my.domain $ # UUID: 7328269f-83e6-4b23-98c2-f40192573608 $ # Date: 2024-06-22 01:53:44-04 $ # SHA1: 5e572194f17517fa344df299ccfe0b5dcc072903 $ # # System-wide known-hosts file # Last updated $Date: 2024-06-22 03:23:06-04 $ # # ========================================================================= # furbag:22 SSH-2.0-OpenSSH_9.4 furbag,192.168.48.2 ssh-ed25519 AAAAC3NzaC1za[...]jWj2Cl9hrN furbag,192.168.48.2 ssh-rsa AAAAB3NzaC1yc2EA[...]0eJCUCD3A/h8= # ========================================================================= # hairball:22 SSH-2.0-OpenSSH_9.3 FreeBSD-20230719 hairball,192.168.48.1 ssh-ed25519 AAAAC3NzaC1lZ[...]gvZwkWozA hairball,192.168.48.1 ssh-rsa AAAAB3NzaC1yc2EA[...]z1sKuA6lCE= # EOF
Use the "./inst" script to put ssh_known_hosts wherever you want. "ssh" will check for these files in order:
$HOME/.ssh/known_hosts $HOME/.ssh/known_hosts2 /usr/local/etc/ssh_known_hosts /usr/local/etc/ssh_known_hosts2
Have each workstation or server copy /usr/local/etc/ssh_known_hosts from a trusted repository, check for changes, and install it.
All scripts used in this article are available here.
Feel free to send comments.
Generated from article.t2t by
txt2tags
$Revision: 1.3 $