1. Introduction
  2. What hosts do you have?
  3. Build: Use ssh-keyscan output
  4. Installation
  5. Feedback

1. Introduction

General idea: automate this to the greatest extent possible. Run ssh-keyscan for each host you want to access and store in files named after the host.

Original tree:

/path/to/known-hosts-repo
+--admin
|   +--build
|   +--clean
|   +--inst
|   +--update
|   +--UTIL
|
+--src
|   +--DIVIDER
|   +--FOOTER
|   +--HEADER.in
|   +--HOSTS

2. What hosts do you have?

This is just a demo -- I only have two hosts, but it works in places with more.

First, add the systems you're interested in to src/HOSTS:

me% cat src/HOSTS
furbag
hairball

Hosts and servers that should share basic SSH key information.

Revision: 1.5 $ $Date: 2024-06-22 03:23:06-04 $
Source: /path/to/known-hosts/repo/src/RCS/HOSTS,v $
Host: furbag $
UUID: 7f0fd58d-4081-314c-92dc-0f88afed4226 $

I use RCS 'cuz I'm old, season to taste.

me% cd admin

me% ./update
furbag,192.168.48.2: updated
RCS/furbag,v  <--  furbag
initial revision: 1.1
done
RCS/furbag,v  -->  furbag
revision 1.1
done
hairball,192.168.48.1: updated
RCS/hairball,v  <--  hairball
initial revision: 1.1
done
RCS/hairball,v  -->  hairball
revision 1.1
done

New files created under src:

+--src
|   +--furbag
|   +--hairball
|   +--RCS
|   |   +--furbag,v
|   |   +--hairball,v

They hold the output from ssh-keyscan:

me% cat ../src/furbag
# furbag:22 SSH-2.0-OpenSSH_9.4
furbag,192.168.48.2 ssh-ed25519 AAAAC3NzaC1za[...]jWj2Cl9hrN
furbag,192.168.48.2 ssh-rsa AAAAB3NzaC1yc2EA[...]0eJCUCD3A/h8=

me% cat ../src/hairball
# hairball:22 SSH-2.0-OpenSSH_9.3 FreeBSD-20230719
hairball,192.168.48.1 ssh-ed25519 AAAAC3NzaC1lZ[...]gvZwkWozA
hairball,192.168.48.1 ssh-rsa AAAAB3NzaC1yc2EA[...]z1sKuA6lCE=

3. Build: Use ssh-keyscan output

Run "build" to create a HEADER, and add it plus a FOOTER to make a new known_hosts file.

I want the checkin identifier to change when anything in the contents changes; the most consistent way is to change the RCS info in HEADER when any/all of the key-files are changed. Add a HEADER line to hold a SHA1 sum for all the key files and recompute it whenever we change something.

me% pwd
/path/to/known-hosts-repo/admin

me% ./build
RCS/HEADER,v  <--  HEADER
new revision: 2.3; previous revision: 2.2
done
RCS/HEADER,v  -->  HEADER
revision 2.3
done

me% cat ssh_known_hosts
# Revision: 2.3 $
# Source: /path/to/known-hosts/repo/src/RCS/HEADER,v $
# Host: furbag.my.domain $
# UUID: 7328269f-83e6-4b23-98c2-f40192573608 $
# Date: 2024-06-22 01:53:44-04 $
# SHA1: 5e572194f17517fa344df299ccfe0b5dcc072903 $
#
# System-wide known-hosts file
# Last updated $Date: 2024-06-22 03:23:06-04 $
#
# =========================================================================
# furbag:22 SSH-2.0-OpenSSH_9.4
furbag,192.168.48.2 ssh-ed25519 AAAAC3NzaC1za[...]jWj2Cl9hrN
furbag,192.168.48.2 ssh-rsa AAAAB3NzaC1yc2EA[...]0eJCUCD3A/h8=
# =========================================================================
# hairball:22 SSH-2.0-OpenSSH_9.3 FreeBSD-20230719
hairball,192.168.48.1 ssh-ed25519 AAAAC3NzaC1lZ[...]gvZwkWozA
hairball,192.168.48.1 ssh-rsa AAAAB3NzaC1yc2EA[...]z1sKuA6lCE=
# EOF

4. Installation

Use the "./inst" script to put ssh_known_hosts wherever you want. "ssh" will check for these files in order:

$HOME/.ssh/known_hosts
$HOME/.ssh/known_hosts2
/usr/local/etc/ssh_known_hosts
/usr/local/etc/ssh_known_hosts2

Have each workstation or server copy /usr/local/etc/ssh_known_hosts from a trusted repository, check for changes, and install it.

5. Feedback

All scripts used in this article are available here.

Feel free to send comments.


Generated from article.t2t by txt2tags
$Revision: 1.3 $