Bug #3529
Impossible to add multiple entries for the same host
| Status: | Accepted | Start date: | 04/09/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | ssh | |||
| Target version: | - | |||
| Affected Puppet version: | 0.25.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
In deployment, we have a server that resolves to different IP addresses in different locations (via a DNS view).
We’d like to be able to add the SSH host key of both IP addresses to /etc/ssh/ssh_known_hosts, but can’t because of the way the sshkey type is currently implemented.
Here’s an example of what we want to get:
server.corp.example.com,192.168.67.62 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzsg+BglE1A7y9Dw6aiCEB3F8SJxXpd+AJ8DvTmk/Vr00fRO8zL1cY2Nggj6WD+YcjuXWpzbsc/kE3HCjXe7kHInx2Hz4aTVtNO9h2pi7n3hFWRjdN/4D3nsmPy+xxJGQ4AIRjf1+t1npCltvqS4qOhMybl4f92IyeuIETD3IGpBU3T0bQJRCZqQ8ggkalXbREHJcEN49IsHzzJcf4VBEaOMuJKVXx+T7cL4KyfYxNCbmFA6Ezdx+C65fB+g3PKfs9neAbdk1vnFCV3NXHbloSN3USNOe3hhTO4QBzSh1WjXA6q6Zoe9NLwIHXhrQOcltH4DJ/J5ob0qxyUrwB3SvRw== server.corp.example.com,192.168.128.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu/bQRbOuUL1cllXy+2TGT2YIhjlxZxXDWXtcFs994n95LgACvjOY7ZNFlF3QXy3WeIsdM+Y4+tlV5UCgneMU7m9NdsBejJMIHBucWcx3gx/yuLfUR0Bd4D/gDAPTGpcFE+KPxCP3i/IMOyG3cCJWHv1iBfbIV2QQI1m8LwsLbmgoVwv6QwetJw+6GamV8xKrgQMWnAwQx1nIaRjWYJAeZDBY/vZEnYwtpsju8c3VUqaw3J59hYMg0IE3dMDOEtbBn31/RNIwoM87XLzHrQrRNyADjxy4OI2gIOzOrjYzBtP+v2JLvEGyVc/xupxBh0gewhx4otHHA5Bk/u8AJcpMjQ==
Here’s how I’m trying to do it:
sshkey { "server.corp.example.com":
alias => ["server.corp.example.com", "192.168.67.62"],
key => "AAAAB3NzaC1yc2EAAAABIwAAAQEAzsg+BglE1A7y9Dw6aiCEB3F8SJxXpd+AJ8DvTmk/Vr00fRO8zL1cY2Nggj6WD+YcjuXWpzbsc/kE3HCjXe7kHInx2Hz4aTVtNO9h2pi7n3hFWRjdN/4D3nsmPy+xxJGQ4AIRjf1+t1npCltvqS4qOhMybl4f92IyeuIETD3IGpBU3T0bQJRCZqQ8ggkalXbREHJcEN49IsHzzJcf4VBEaOMuJKVXx+T7cL4KyfYxNCbmFA6Ezdx+C65fB+g3PKfs9neAbdk1vnFCV3NXHbloSN3USNOe3hhTO4QBzSh1WjXA6q6Zoe9NLwIHXhrQOcltH4DJ/J5ob0qxyUrwB3SvRw==",
type => "rsa",
ensure => present,
}
sshkey { "server.site1.corp.example.com":
alias => ["server.corp.example.com", "192.168.128.60"],
key => "AAAAB3NzaC1yc2EAAAABIwAAAQEAu/bQRbOuUL1cllXy+2TGT2YIhjlxZxXDWXtcFs994n95LgACvjOY7ZNFlF3QXy3WeIsdM+Y4+tlV5UCgneMU7m9NdsBejJMIHBucWcx3gx/yuLfUR0Bd4D/gDAPTGpcFE+KPxCP3i/IMOyG3cCJWHv1iBfbIV2QQI1m8LwsLbmgoVwv6QwetJw+6GamV8xKrgQMWnAwQx1nIaRjWYJAeZDBY/vZEnYwtpsju8c3VUqaw3J59hYMg0IE3dMDOEtbBn31/RNIwoM87XLzHrQrRNyADjxy4OI2gIOzOrjYzBtP+v2JLvEGyVc/xupxBh0gewhx4otHHA5Bk/u8AJcpMjQ==",
type => "rsa",
ensure => present,
}
This doesn’t work because of the duplicate aliases.
So I’ve got a problem where I don’t really care what the resource is named in Puppet, but I want to influence the hostname(s) added to /etc/ssh/ssh_known_hosts. I’m unable to do this because of the tight coupling between the name of the Puppet resource, and what goes into the known_hosts file, as well as aliases defining something inside of Puppet as well as what goes into the file.
History
Updated by James Turnbull about 2 years ago
- Status changed from Unreviewed to Needs Decision
- Assignee set to Luke Kanies
Not sure how this should be untangled?
Updated by Luke Kanies about 2 years ago
- Status changed from Needs Decision to Accepted
This is basically not possible with how keys are managed, at least for as long as Puppet only supports a single primary key.
Isn’t this doable by just adding the IP address as a second alias to the host? E.g.:
server.corp.example.com,192.168.67.62,192.168.67.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzsg+BglE1A7y9Dw6aiCEB3F8SJxXpd+AJ8DvTmk/Vr00fRO8zL1cY2Nggj6WD+YcjuXWpzbsc/kE3HCjXe7kHInx2Hz4aTVtNO9h2pi7n3hFWRjdN/4D3nsmPy+xxJGQ4AIRjf1+t1npCltvqS4qOhMybl4f92IyeuIETD3IGpBU3T0bQJRCZqQ8ggkalXbREHJcEN49IsHzzJcf4VBEaOMuJKVXx+T7cL4KyfYxNCbmFA6Ezdx+C65fB+g3PKfs9neAbdk1vnFCV3NXHbloSN3USNOe3hhTO4QBzSh1WjXA6q6Zoe9NLwIHXhrQOcltH4DJ/J5ob0qxyUrwB3SvRw==
Note I haven’t tried it, I just think it works.
Updated by Luke Kanies about 2 years ago
- Assignee deleted (
Luke Kanies)