Page MenuHomePhabricator
Create Task
Maniphest T252747

Generate ssh_known_hosts for network devices
Open, MediumPublic
Actions

Description

Similar to what is done for servers (from PuppetDB data) it would be great to generate an authoritative ssh_known_hosts file.

As the devices don't change often and the list is short, it's okay to have something only semi-automatic.

Some of the ideas (from IRC and other):

  • Get the list of devices from Netbox
  • Use ssh-keyscan, main limitation: doesn't use ssh's proxycommand
  • Have a script in puppet/utils that generates the file, then manually commit updates via Gerrit
  • Have that script on puppetmaster (commiting to puppet-private) or cumin (to regular file) to workaround ssh-keyscan limitations
  • Store the devices pubkeys in a Netbox' custom field (manually updated)

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT252747 Generate ssh_known_hosts for network devices
 OpenNoneT336275 Upgrade Netbox to 4.x

Event Timeline

ayounsi triaged this task as Medium priority.May 14 2020, 8:02 AM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 14 2020, 8:02 AM
CDanis added a comment.May 14 2020, 2:03 PM

If you wanted the script to be invoked on SRE's own machines, it could
first ssh to a bastion and then invoke ssh-keyscan from there.

Volans added a project: SRE-tools.May 14 2020, 2:38 PM
Volans added a subscriber: faidon.
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 8:59 PM
ayounsi added a subtask: T336275: Upgrade Netbox to 4.x.Apr 8 2024, 2:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL