cookbook 'ssh_known_hosts', '~> 7.0.0'
ssh_known_hosts
(35) Versions
7.0.0
-
Follow66
Dyanmically generates /etc/ssh/ssh_known_hosts based on search indexes
cookbook 'ssh_known_hosts', '~> 7.0.0', :supermarket
knife supermarket install ssh_known_hosts
knife supermarket download ssh_known_hosts
ssh_known_hosts Cookbook
- The default recipe builds
/etc/ssh/ssh_known_hosts
based either on search indexes usingrsa,dsa
key types and ohai data or, when['ssh_known_hosts']['use_data_bag_cache']
istrue
, on the contents of a data bag that is maintained by thecacher
recipe running on a worker node. - The cacher recipe builds and maintains a data bag based on search indexes using
rsa,dsa
key types and ohai data.
You can also optionally put other host keys in a data bag called "ssh_known_hosts
". See below for details.
WARNING: The ssh_known_hosts_entry
resource is now built into Chef 14.4+ and no longer ships in this cookbook.
Requirements
Platforms
- Any operating system that supports
/etc/ssh/ssh_known_hosts
.
Chef
- 14.4+
Recipes
Cacher
Use the cacher
recipe on a single "worker" node somewhere in your cluster to maintain a data bag (server_data/known_hosts
by default) containing all of your nodes host keys. The advantage to this approach is that is much faster than running a search of all nodes, and substantially lightens the load on locally hosted Chef servers. The drawback is that the data is slightly delayed (because the cacher worker must converge first).
To use the cacher, simply include the ssh_known_hosts::cacher
cookbook in a wrapper cookbook or run list on a designated worker node.
Default Recipe
Searches the Chef Server for all hosts that have SSH host keys using rsa,dsa
key types and generates an /etc/ssh/ssh_known_hosts
.
Adding custom host keys
There are two ways to add custom host keys. You can either use the resource (see above), or by creating a data bag called "ssh_known_hosts
" and adding an item for each host:
{ "id": "github", "fqdn": "github.com", "rsa": "github-rsa-host-key" }
There are additional optional values you may use in the data bag:
Attribute | Description | Example |
---|---|---|
id | a unique id for this data bag entry | github |
fqdn | the fqdn of the host | github.com |
rsa | the rsa key for this server | ssh-rsa AAAAB3... |
ipaddress | the ipaddress of the node (if fqdn is not supplied) | 1.1.1.1 |
hostname | local hostname of the server (if not a fqdn) | myserver.local |
dsa | the dsa key for this server | ssh-dsa ABAAC3... |
Attributes
The following attributes are set on a per-platform basis, see the attributes/default.rb
.
-
node['ssh_known_hosts']['file']
- Sets up the location of the ssh_known_hosts file for the system. Defaults to '/etc/ssh/ssh_known_hosts' -
node['ssh_known_hosts']['key_type']
- Determines which key type ssh-keyscan will use to determine the host key, different systems will have different available key types, check your manpage for available key types for ssh-keyscan. Defaults to 'rsa,dsa' -
node['ssh_known_hosts']['use_data_bag_cache']
- Use the data bag maintained by the cacher server to build/etc/ssh/ssh_known_hosts
instead of a direct search (requires that a node be set up to run the cacher recipe regularly). -
node['ssh_known_hosts']['cacher']['data_bag']
/node['ssh_known_hosts']['cacher']['data_bag_item']
- Data bag where cacher recipe should store its keys. -
node['ssh_known_hosts']['node_search_query']
- Additional query string to apply to the search
License & Authors
Author: Cookbook Engineering Team (cookbooks@chef.io)
Copyright: 2008-2019, Chef Software, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
ssh_known_hosts CHANGELOG
This file is used to list changes made in each version of the ssh_known_hosts cookbook.
7.0.0 (2019-06-10)
Breaking Changes
- Requires Chef 14.4 or later
- Removes the ::deprecated recipe that was undocumented, but included for long back backwards compatibility
- Removes the resource which is now included in Chef 14.4 or later
6.2.0 (2018-09-10)
- Add all known keys to the known hosts by default, but add option to keep old behaviour.
- Make names of resources with different key types unique
6.1.3 (2018-09-04)
- Allow additional query params in Chef search
- The
ssh_known_hosts_entry
resource is now built into Chef 14.4+. When Chef 15.4 is released (April 2019) this resource will be removed from this cookbook as all users should be on Chef 14.4+.
6.1.2 (2018-04-27)
- Use root_group for the group ownership to support macOS and BSD
6.1.1 (2018-04-27)
- Document a few missing properties in the resource
6.1.0 (2018-04-16)
- Use delayed_action instead of a log resource with notification. This makes the resource runs a bit cleaner as you won't see a log resource converging as well
- Add a new property
file_location
for controlling where the ssh config is. This defaults to the previously set value from the node attribute, but can be set on individual resources. This also lets you set the path to a particular user's ssh known host file if you want to modify that. - By default only set key type of RSA not RSA and DSA. You can modify this behavior by setting the key_type property. Previously we used the node level attribute, but this didn't allow you to change the behavior on individual resources
6.0.0 (2018-04-16)
- add a :flush action to ssh_known_hosts_entry which immediatly writes the file to disk. See the readme for an example of how to use this
- Remove action_class.class_eval and just use action_class instead
- Increase the required Chef release to 12.11 for some of the accumulator functionality we use now
- Improve testing
- Improve the docs for the resource
5.2.1 (2017-05-30)
- Resolve foodcritic warnings
5.2.0 (2017-05-30)
- Update apache2 license string
- Add supports metadata
- Remove class_eval usage and require Chef 12.7+
5.1.0 (2017-03-14)
- add support for hashed entries when using keyscan
- Test with Local Delivery instead of Rake
- add a "deprecated" recipe for back-compat-ish behavior
5.0.0 (2017-02-23)
- Require Chef 12.5+ and remove compat_resource dependency
4.1.1 (2017-01-06)
- Do not write port number if it is 22
4.1.0 (2016-12-29)
- Convert entry LWRP to a custom_resource with a delayed accumulator pattern
- Resolve sort ordering issues
- Fix for non-port-22 issues
- Add helper correctly in the recipe DSL
4.0.0 (2016-09-07)
- Require chef 12+
- Testing updates
- Remove chef 10 compatibility code
v3.1.0 (2016-07-18)
- [#59] adds mode, owner, group attributes to the entry resource
v3.0.1 (2016-07-15)
- [#58] Fix issues brought in with v3.0.0 with ssh-keyscan
- [#58] Add timeout parameter to entry resource associated with ssh-keyscan
- [#58] Cleaned up some extraneous old chef-solo code
v3.0.0 (2016-07-14)
- [#55] Remove deprecated cookbook dependency on partial_search making cookbook Chef 12+ only
v2.1.0 (2016-07-13)
- [#51] Add support for ECDSA and ED25519 keys josacar
- [#42] Check for nil FQDN realloc
v2.0.0 (2014-12-02)
- [#36] Fix the way keys are rendered
- [#22] Update to README
- [#32] Clean up logging
- [#23] Do not hash public keys
- [#34] Serverspec updates
- [#28] Add data bag caching option
- [#20] Add checspec matchers
- [#33] Add test to verify chefspec matcher
v1.3.2 (2014-04-23)
- [COOK-4579] - Do not use ssh-keyscan stderr
v1.3.0 (2014-04-09)
- [COOK-4489] Updated ssh-keyscan to include -t type
v1.2.0 (2014-02-18)
Bug
- COOK-3453 - ssh_known_hosts cookbook ruby block executes on every chef run
v1.1.0
[COOK-3765] - support ssh-keyscan using an alternative port number
v1.0.2
Bug
-
COOK-3113 - Use empty string when result is
nil
v1.0.0
This is a major release because it requires a server that supports the partial search feature.
- Chef Software Hosted Chef
- Chef Software Private Chef
- Open Source Chef 11
Improvement
- [COOK-830]: uses an inordinate amount of RAM when running exception handlers
v0.7.4
- [COOK-2440] -
ssh_known_hosts
fails to use data bag entries, doesn't grab items
v0.7.2
- [COOK-2364] - Wrong LWRP name used in recipe
v0.7.0
- [COOK-2320] - Merge
known_host
LWRP intossh_known_hosts
v0.6.0
- [COOK-2268] - Allow to run with chef-solo
v0.5.0
- [COOK-1077] - allow adding arbitrary host keys from a data bag
v0.4.0
- COOK-493: include fqdn
- COOK-721: corrected permissions
Collaborator Number Metric
7.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Cookstyle Metric
7.0.0 failed this metric
Chef/Modernize/FoodcriticComments: Remove legacy code comments that disable Foodcritic rules (https://docs.chef.io/workstation/cookstyle/chef_modernize_foodcriticcomments): ssh_known_hosts/recipes/cacher.rb: 33
Chef/RedundantCode/LongDescriptionMetadata: The long_description metadata.rb method is not used and is unnecessary in cookbooks. (https://docs.chef.io/workstation/cookstyle/chef_redundantcode_longdescriptionmetadata): ssh_known_hosts/metadata.rb: 6
Chef/RedundantCode/RecipeMetadata: The recipe metadata.rb method is not used and is unnecessary in cookbooks. Recipes should be documented in the cookbook's README.md file instead. (https://docs.chef.io/workstation/cookstyle/chef_redundantcode_recipemetadata): ssh_known_hosts/metadata.rb: 8
Run with Cookstyle Version 7.32.1 with cops Chef/Deprecations,Chef/Correctness,Chef/Sharing,Chef/RedundantCode,Chef/Modernize,Chef/Security,InSpec/Deprecations
No Binaries Metric
7.0.0 passed this metric
Testing File Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
7.0.0 failed this metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Cookstyle Metric
7.0.0 failed this metric
Chef/Modernize/FoodcriticComments: Remove legacy code comments that disable Foodcritic rules (https://docs.chef.io/workstation/cookstyle/chef_modernize_foodcriticcomments): ssh_known_hosts/recipes/cacher.rb: 33
Chef/RedundantCode/LongDescriptionMetadata: The long_description metadata.rb method is not used and is unnecessary in cookbooks. (https://docs.chef.io/workstation/cookstyle/chef_redundantcode_longdescriptionmetadata): ssh_known_hosts/metadata.rb: 6
Chef/RedundantCode/RecipeMetadata: The recipe metadata.rb method is not used and is unnecessary in cookbooks. Recipes should be documented in the cookbook's README.md file instead. (https://docs.chef.io/workstation/cookstyle/chef_redundantcode_recipemetadata): ssh_known_hosts/metadata.rb: 8
Run with Cookstyle Version 7.32.1 with cops Chef/Deprecations,Chef/Correctness,Chef/Sharing,Chef/RedundantCode,Chef/Modernize,Chef/Security,InSpec/Deprecations
No Binaries Metric
7.0.0 passed this metric
Testing File Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
7.0.0 failed this metric
Chef/RedundantCode/LongDescriptionMetadata: The long_description metadata.rb method is not used and is unnecessary in cookbooks. (https://docs.chef.io/workstation/cookstyle/chef_redundantcode_longdescriptionmetadata): ssh_known_hosts/metadata.rb: 6
Chef/RedundantCode/RecipeMetadata: The recipe metadata.rb method is not used and is unnecessary in cookbooks. Recipes should be documented in the cookbook's README.md file instead. (https://docs.chef.io/workstation/cookstyle/chef_redundantcode_recipemetadata): ssh_known_hosts/metadata.rb: 8
Run with Cookstyle Version 7.32.1 with cops Chef/Deprecations,Chef/Correctness,Chef/Sharing,Chef/RedundantCode,Chef/Modernize,Chef/Security,InSpec/Deprecations
7.0.0 passed this metric
Testing File Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
7.0.0 failed this metric
7.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number