Merge pull request #127 from 0xf10e/known_hosts_pillar

Add host keys from pillar to `ssh_known_hosts`
This commit is contained in:
alxwr 2018-04-27 10:39:31 +02:00 committed by GitHub
commit 11366b3c17
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 3 deletions

View File

@ -64,8 +64,9 @@ distribution.
``openssh.known_hosts`` ``openssh.known_hosts``
----------------------- -----------------------
Manages the site-wide ssh_known_hosts file and fills it with the Manages the side-wide ssh_known_hosts file and fills it with the
public SSH host keys of all minions. You can restrict the set of minions public SSH host keys of your minions (collected via the Salt mine)
and of hosts listed in you pillar data. You can restrict the set of minions
whose keys are listed by using the pillar data ``openssh:known_hosts:target`` whose keys are listed by using the pillar data ``openssh:known_hosts:target``
and ``openssh:known_hosts:tgt_type`` (those fields map directly to the and ``openssh:known_hosts:tgt_type`` (those fields map directly to the
corresponding attributes of the ``mine.get`` function). corresponding attributes of the ``mine.get`` function).
@ -102,6 +103,16 @@ IPv6 behind one of those DNS entries matches an IPv4 or IPv6 behind the
official hostname of a minion, the alternate DNS name will be associated to the official hostname of a minion, the alternate DNS name will be associated to the
minion's public SSH host key. minion's public SSH host key.
To add public keys of hosts not among your minions list them under the
pillar key ``openssh:known_hosts:static``::
openssh:
known_hosts:
static:
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq[...]'
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA[...]'
``openssh.moduli`` ``openssh.moduli``
----------------------- -----------------------

View File

@ -66,6 +66,8 @@
{#- Loop over targetted minions -#} {#- Loop over targetted minions -#}
{%- set host_keys = salt['mine.get'](target, keys_function, tgt_type=tgt_type) -%} {%- set host_keys = salt['mine.get'](target, keys_function, tgt_type=tgt_type) -%}
{%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%} {%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%}
{%- for host, keys in host_keys|dictsort -%} {%- do host_keys.update(salt['pillar.get']('openssh:known_hosts:static',
{}).items()) -%}
{%- for host, keys in host_keys| dictsort -%}
{{ known_host_entry(host, host_names, keys) }} {{ known_host_entry(host, host_names, keys) }}
{%- endfor -%} {%- endfor -%}

View File

@ -307,6 +307,10 @@ openssh:
# tgt_type: 'glob' # tgt_type: 'glob'
# To activate the defaults you can just set an empty dict. # To activate the defaults you can just set an empty dict.
#hostnames: {} #hostnames: {}
# Here you can list keys for hosts which are not among your minions:
static:
github.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGm[...]'
gitlab.com: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bN[...]'
# specify DH parameters (see /etc/ssh/moduli) # specify DH parameters (see /etc/ssh/moduli)
moduli: | moduli: |