diff options
author | Oliver Walsh <owalsh@redhat.com> | 2017-03-24 14:35:09 +0000 |
---|---|---|
committer | James Slagle <jslagle@redhat.com> | 2017-04-20 22:16:35 +0000 |
commit | 68d7196d472b5195c19e871e960996e89a7bcb9c (patch) | |
tree | 83cd2872cf542106ea19a343d1c5217e18287f7d /extraconfig/tasks/ssh/known_hosts_config.yaml | |
parent | 33e53fd87784914d010411ec85d040623e4c2617 (diff) |
SSH known_hosts config
Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
verification is vulnerable to a MITM attack.
Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
(cherry picked from commit 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
Diffstat (limited to 'extraconfig/tasks/ssh/known_hosts_config.yaml')
-rw-r--r-- | extraconfig/tasks/ssh/known_hosts_config.yaml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/extraconfig/tasks/ssh/known_hosts_config.yaml b/extraconfig/tasks/ssh/known_hosts_config.yaml new file mode 100644 index 00000000..2ebcb63c --- /dev/null +++ b/extraconfig/tasks/ssh/known_hosts_config.yaml @@ -0,0 +1,36 @@ +heat_template_version: ocata +description: 'SSH Known Hosts Config' + +parameters: + known_hosts: + type: string + +resources: + + SSHKnownHostsConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + inputs: + - name: known_hosts + default: {get_param: known_hosts} + config: | + #!/bin/bash + set -eux + set -o pipefail + + echo "Creating ssh known hosts file" + + if [ ! -z "${known_hosts}" ]; then + echo "${known_hosts}" + echo -ne "${known_hosts}" > /etc/ssh/ssh_known_hosts + chmod 0644 /etc/ssh/ssh_known_hosts + else + rm -f /etc/ssh/ssh_known_hosts + echo "No ssh known hosts" + fi + +outputs: + OS::stack_id: + description: The SSHKnownHostsConfig resource. + value: {get_resource: SSHKnownHostsConfig}
\ No newline at end of file |