blob: e606ba90801b5860f9e17eef014e55c5f937bbc4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
.. -*- mode: rst -*-
.. _appendix-guides-import-existing-ssh-keys:
========================
Import existing ssh keys
========================
.. note::
In order for the instructions in this guide to work, you will need
to first setup the :ref:`reporting system <reports-dynamic>` so that
the server has the information needed to create the existing
entries.
This guide details the process for importing existing ssh keys into your
server repository.
Add a bundle for ssh
====================
After verifying that SSHbase is listed on the plugins line in
``/etc/bcfg2.conf``, you need to create a bundle containing the
appropriate entries.::
cat > /tmp/ssh.xml << EOF
<Bundle name='ssh'>
<Path name='/etc/ssh/ssh_host_dsa_key'/>
<Path name='/etc/ssh/ssh_host_rsa_key'/>
<Path name='/etc/ssh/ssh_host_dsa_key.pub'/>
<Path name='/etc/ssh/ssh_host_rsa_key.pub'/>
<Path name='/etc/ssh/ssh_host_key'/>
<Path name='/etc/ssh/ssh_host_key.pub'/>
<Path name='/etc/ssh/ssh_known_hosts'/>
</Bundle>
::
mv /tmp/ssh.xml /var/lib/bcfg2/Bundle
Next, you need to add the ssh bundle to the client's metadata in
groups.xml.
Validate your repository
========================
Validation can be performed using the following command::
bcfg2-repo-validate -v
Run the bcfg2 client
====================
::
bcfg2 -vqn
You will see the incorrect entries for the ssh files::
Phase: initial
Correct entries: 0
Incorrect entries: 7
Total managed entries: 7
Unmanaged entries: 649
In dryrun mode: suppressing entry installation for:
Path:/etc/ssh/ssh_host_dsa_key Path:/etc/ssh/ssh_host_rsa_key
Path:/etc/ssh/ssh_host_dsa_key.pub Path:/etc/ssh/ssh_host_rsa_key.pub
Path:/etc/ssh/ssh_host_key Path:/etc/ssh/ssh_known_hosts
Path:/etc/ssh/ssh_host_key.pub
Phase: final
Correct entries: 0
Incorrect entries: 7
Path:/etc/ssh/ssh_host_dsa_key Path:/etc/ssh/ssh_host_rsa_key
Path:/etc/ssh/ssh_host_dsa_key.pub Path:/etc/ssh/ssh_host_rsa_key.pub
Path:/etc/ssh/ssh_host_key Path:/etc/ssh/ssh_known_hosts
Path:/etc/ssh/ssh_host_key.pub
Total managed entries: 7
Unmanaged entries: 649
Install the client's ssh keys into the Bcfg2 repository
=======================================================
Now, we pull the ssh host key data for the client out of the uploaded
stats and insert it as host-specific copies of these files in
``/var/lib/bcfg2/SSHBase``.::
for key in ssh_host_rsa_key ssh_host_dsa_key ssh_host_key; do
sudo bcfg2-admin pull <clientname> Path /etc/ssh/$key
sudo bcfg2-admin pull <clientname> Path /etc/ssh/$key.pub
done
This for loop pulls data that was collected by the bcfg2 client out of
the statistics file and installs it into the repository. This means that
the client will keep the same ssh keys and the bcfg2 server can start
generating a correct ssh_known_hosts file for the client.
Run the bcfg2 client (again)
============================
::
bcfg2 -vqn
This time, we will only see 1 incorrect entry.::
Phase: initial
Correct entries: 6
Incorrect entries: 1
Total managed entries: 7
Unmanaged entries: 649
In dryrun mode: suppressing entry installation for:
Path:/etc/ssh/ssh_known_hosts
Phase: final
Correct entries: 6
Incorrect entries: 1
Path:/etc/ssh/ssh_known_hosts
Total managed entries: 7
Unmanaged entries: 649
Now, the only wrong entry is the ssh_known_hosts file, so go ahead
and install it::
bcfg2 -vqI
After answering 'y' to the interactive prompt, the client will install
the known_hosts file successfully.
|