From 68d7196d472b5195c19e871e960996e89a7bcb9c Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Fri, 24 Mar 2017 14:35:09 +0000
Subject: SSH known_hosts config

Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
 verification is vulnerable to a MITM attack.

Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
(cherry picked from commit 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
---
 extraconfig/tasks/ssh/known_hosts_config.yaml | 36 +++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 extraconfig/tasks/ssh/known_hosts_config.yaml

(limited to 'extraconfig/tasks/ssh/known_hosts_config.yaml')

diff --git a/extraconfig/tasks/ssh/known_hosts_config.yaml b/extraconfig/tasks/ssh/known_hosts_config.yaml
new file mode 100644
index 00000000..2ebcb63c
--- /dev/null
+++ b/extraconfig/tasks/ssh/known_hosts_config.yaml
@@ -0,0 +1,36 @@
+heat_template_version: ocata
+description: 'SSH Known Hosts Config'
+
+parameters:
+  known_hosts:
+    type: string
+
+resources:
+
+  SSHKnownHostsConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: known_hosts
+          default: {get_param: known_hosts}
+      config: |
+        #!/bin/bash
+        set -eux
+        set -o pipefail
+
+        echo "Creating ssh known hosts file"
+
+        if [ ! -z "${known_hosts}" ]; then
+          echo "${known_hosts}"
+          echo -ne "${known_hosts}" > /etc/ssh/ssh_known_hosts
+          chmod 0644 /etc/ssh/ssh_known_hosts
+        else
+          rm -f /etc/ssh/ssh_known_hosts
+          echo "No ssh known hosts"
+        fi
+
+outputs:
+  OS::stack_id:
+    description: The SSHKnownHostsConfig resource.
+    value: {get_resource: SSHKnownHostsConfig}
\ No newline at end of file
-- 
cgit 1.2.3-korg