diff options
author | Oliver Walsh <owalsh@redhat.com> | 2017-03-24 14:35:09 +0000 |
---|---|---|
committer | Oliver Walsh <owalsh@redhat.com> | 2017-04-13 21:53:59 +0100 |
commit | 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6 (patch) | |
tree | 38e0f69556cdce84f14a95e04e50a56d1a7a0ac5 /extraconfig/tasks/ssh/known_hosts_config.yaml | |
parent | 8716d9f769dd17ef17fef7f0fdefaf0df6a7fe24 (diff) |
SSH known_hosts config
Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
verification is vulnerable to a MITM attack.
Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
Diffstat (limited to 'extraconfig/tasks/ssh/known_hosts_config.yaml')
-rw-r--r-- | extraconfig/tasks/ssh/known_hosts_config.yaml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/extraconfig/tasks/ssh/known_hosts_config.yaml b/extraconfig/tasks/ssh/known_hosts_config.yaml new file mode 100644 index 00000000..2ebcb63c --- /dev/null +++ b/extraconfig/tasks/ssh/known_hosts_config.yaml @@ -0,0 +1,36 @@ +heat_template_version: ocata +description: 'SSH Known Hosts Config' + +parameters: + known_hosts: + type: string + +resources: + + SSHKnownHostsConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: known_hosts + default: {get_param: known_hosts} + config: | + #!/bin/bash + set -eux + set -o pipefail + + echo "Creating ssh known hosts file" + + if [ ! -z "${known_hosts}" ]; then + echo "${known_hosts}" + echo -ne "${known_hosts}" > /etc/ssh/ssh_known_hosts + chmod 0644 /etc/ssh/ssh_known_hosts + else + rm -f /etc/ssh/ssh_known_hosts + echo "No ssh known hosts" + fi + +outputs: + OS::stack_id: + description: The SSHKnownHostsConfig resource. + value: {get_resource: SSHKnownHostsConfig}
\ No newline at end of file |