Ticket #1123 (closed enhancement: worksforme)
SSHbase: probe mode to preserve existing host keys
| Reported by: | https://www.google.com/accounts/o8/id?id=AItOawmUWUSICZipFKbjYsQOLyWp-dcZkiAbN5M | Owned by: | desai |
|---|---|---|---|
| Priority: | major | Milestone: | Bcfg2 1.3.0 Release |
| Component: | bcfg2-server | Version: | 1.0 |
| Keywords: | Cc: |
Description
SSHbase assumes that existing keys installed on client systems are not worth preserving, and generates new keys with which to overwrite them for any client that it doesn't already have keys registered. This is fine for new system deployments, where generating fresh keys won't bother anyone. For existing systems that are being brought under bcfg2 control incrementally, or that have been using bcfg2 for a while but upgraded to a version with SSHbase, this is less than helpful. Users who have already connected to a bcfg2 client system using SSH will see changed keys, with the attendant warnings and trouble.
Thus, I propose that SSHbase should have a mode to probe existing host keys, and preserve them in the bcfg2 repository, rather than generating its own and overwriting the existing keys. As suggested by solj and stpierre on IRC, this can probably be accomplished using the existing FileProbe? infrastructure with some tweaks. I'll see about actually implementing it and posting a patch.
It is possible to import existing ssh keys once you have setup the DBStats plugin. See http://docs.bcfg2.org/appendix/guides/import-existing-ssh-keys.html for details.