From 45763f54aa0e344ce05d3d49ff39aab1f504bc2b Mon Sep 17 00:00:00 2001 From: Florian Ermisch Date: Thu, 26 Apr 2018 16:56:18 +0200 Subject: [PATCH 1/2] Add host keys from pillar[openssh:known_hosts:static] to `ssh_known_hosts` --- openssh/files/ssh_known_hosts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openssh/files/ssh_known_hosts b/openssh/files/ssh_known_hosts index 9229fd3..c57a5e9 100644 --- a/openssh/files/ssh_known_hosts +++ b/openssh/files/ssh_known_hosts @@ -66,6 +66,8 @@ {#- Loop over targetted minions -#} {%- set host_keys = salt['mine.get'](target, keys_function, tgt_type=tgt_type) -%} {%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%} -{%- for host, keys in host_keys|dictsort -%} +{%- do host_keys.update(salt['pillar.get']('openssh:known_hosts:static', + {}).items()) -%} +{%- for host, keys in host_keys| dictsort -%} {{ known_host_entry(host, host_names, keys) }} {%- endfor -%} From bf9b9a335cd80358182ced7a93364ae2d569312d Mon Sep 17 00:00:00 2001 From: Florian Ermisch Date: Thu, 26 Apr 2018 17:12:29 +0200 Subject: [PATCH 2/2] Add `openssh:known_hosts:static` to README and pillar.example --- README.rst | 15 +++++++++++++-- pillar.example | 4 ++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index 559e6fb..5ace6a7 100644 --- a/README.rst +++ b/README.rst @@ -64,8 +64,9 @@ distribution. ``openssh.known_hosts`` ----------------------- -Manages the site-wide ssh_known_hosts file and fills it with the -public SSH host keys of all minions. You can restrict the set of minions +Manages the side-wide ssh_known_hosts file and fills it with the +public SSH host keys of your minions (collected via the Salt mine) +and of hosts listed in you pillar data. You can restrict the set of minions whose keys are listed by using the pillar data ``openssh:known_hosts:target`` and ``openssh:known_hosts:tgt_type`` (those fields map directly to the corresponding attributes of the ``mine.get`` function). @@ -102,6 +103,16 @@ IPv6 behind one of those DNS entries matches an IPv4 or IPv6 behind the official hostname of a minion, the alternate DNS name will be associated to the minion's public SSH host key. +To add public keys of hosts not among your minions list them under the +pillar key ``openssh:known_hosts:static``:: + + openssh: + known_hosts: + static: + github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq[...]' + gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA[...]' + + ``openssh.moduli`` ----------------------- diff --git a/pillar.example b/pillar.example index 5708859..5f519ce 100644 --- a/pillar.example +++ b/pillar.example @@ -307,6 +307,10 @@ openssh: # tgt_type: 'glob' # To activate the defaults you can just set an empty dict. #hostnames: {} + # Here you can list keys for hosts which are not among your minions: + static: + github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]' + gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]' # specify DH parameters (see /etc/ssh/moduli) moduli: |