Page MenuHomePhabricator

Generate ssh_known_hosts for network devices
Open, MediumPublic


Similar to what is done for servers (from PuppetDB data) it would be great to generate an authoritative ssh_known_hosts file.

As the devices don't change often and the list is short, it's okay to have something only semi-automatic.

Some of the ideas (from IRC and other):

  • Get the list of devices from Netbox
  • Use ssh-keyscan, main limitation: doesn't use ssh's proxycommand
  • Have a script in puppet/utils that generates the file, then manually commit updates via Gerrit
  • Have that script on puppetmaster (commiting to puppet-private) or cumin (to regular file) to workaround ssh-keyscan limitations
  • Store the devices pubkeys in a Netbox' custom field (manually updated)

Event Timeline

ayounsi triaged this task as Medium priority.May 14 2020, 8:02 AM
ayounsi created this task.

If you wanted the script to be invoked on SRE's own machines, it could
first ssh to a bastion and then invoke ssh-keyscan from there.