2011-11-22 03:19:13 |
Eric Hammond |
description |
In bug #892554, Kees Cook (kees) makes a great suggestion that cloud-init could output the public ssh host keys to the console output. This could then be read by automated software outside of the instance and added to a known_hosts file using the IP address and/or hostname that the remote system wishes to use to connect to the instance.
As Scott Moser (smoser) points out, the existing ssh host key fingerprints should be left in the output in the current de facto standard format so as to not break any existing software or human processes that check this.
The new output should be added using a different set of public ssh host key delimiters (see proposed format below).
There is no need to require a cloud-init configuration option; this information should always be output. Extra information in the console output should not interfere with any existing programs as long as it is separate from the existing formatted information.
The simplest way to present the information might be to just print out the first two fields of all public host keys. For example:
cut -f1-2 -d' ' /etc/ssh/ssh_host_*_key.pub
The client system would query the console output, select one of these ssh host keys, and add it to known_hosts, prepended by the IP address and/or hostnames that it wishes to use to connect to the instance.
Here's an example of what this might look like in the console output:
-----BEGIN PUBLIC SSH HOST KEYS-----
ssh-dss AAAAB3NzaC1kc3MAAACBAOx12z6/snxt5HWbRZNmvs/hH+5EXsLLKR4XnyH56EQFNmpxGy3O5qBNvNpt4GejLmFR6TJdMANwFhkOfUkLcotTpgm+z3nA4wFUZt23o2CjYvqHSx5pOON390XM6xHhXzlGlkip5XUVM4flNhwQNAvt+9bo3//OTtXEZ1ZZ2M8bAAAAFQDiJIlHJxNS2jOsiHIsm5g3Vl5JuwAAAIEAiZXdnPnupHa5EvqAmaa0Gdzqp1mcRm7a/ovQ/Oko/IByF0OqAEZtb3VevUOoC1HFBoYfcP1kRKdey/W7TyLJPYWt/ZuMdNmZSuPZt7U99WkRt+sGfOlTc2PnxbKzbC+dqcBpuVvjy7AJEngucUJ8lykrpR30Fo538KkSHcITf+QAAACBAONcYr7hoksk3BhtvxFKjXoqcwBiDxAuj+aq90oWsenWfStuOO84eg1tJhZNp0VFv9mICevICoY4P+3ZjD7SvTdq5Xk3Uw4wabgFE4rBwS4XrZMA9+O9/S8+b20h+pQSbfwZIZiULTjBP2I89acPExhmrApSpZ+ByqB3HvnKawG+
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ=
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0I3L8UiDoF4LkzpJNHBDM2w9JFE6CbvmAQgW6+czbDOwvrFxQU2rw2HLLUOn+Z2WCE5AJSY7E7pxCrDo1v27hkVgaM6KqWks74vYxIkqfGCyf31y1N8QrmVCsAC74KFp9rhwP0uHmrN8XUIYFik8MoNphf+2aKWieJdZtzQGQ22mNNKDkP1yX3Uvb1QI+8d770dcIqr61AwkUBQgPgPyeii8W7r2+nq1lNQEnYts0N+13+40lEShnrRtsdKY6diEVs2uQId7VWw04lXOzWGi8oSWlunDWyRCQPtfvBFQtJ8AsivyZjmBuN9VJSDHLY1EQhXayygKfi6u6GKFVLZmd
-----END PUBLIC SSH HOST KEYS-----
And here's an example of what the client system might add to known_hosts:
50.16.12.209,ec2-50-16-12-209.compute-1.amazonaws.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ=
or with hashing:
|1|q0CnRd/EVpfAXEVMAi7fqx0lFaI=|8BrFOu2+GGRMKDS+1WiVG8xpwt0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ=
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: cloud-init 0.6.1-0ubuntu22
ProcVersionSignature: User Name 3.0.0-12.20-virtual 3.0.4
Uname: Linux 3.0.0-12-virtual i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Tue Nov 22 00:12:40 2011
Ec2AMI: ami-a7f539ce
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1a
Ec2InstanceType: m1.small
Ec2Kernel: aki-805ea7e9
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install) |
In bug #892554, Kees Cook (kees) makes a great suggestion that cloud-init could output the public ssh host keys to the console output. This could then be read by automated software outside of the instance and added to a known_hosts file using the IP address and/or hostname that the remote system wishes to use to connect to the instance.
As Scott Moser (smoser) points out, the existing ssh host key fingerprints should be left in the output in the current de facto standard format so as to not break any existing software or human processes that check this.
The new output should be added using a different set of public ssh host key delimiters (see proposed format below).
There is no need to require a cloud-init configuration option; this information should always be output. Extra information in the console output should not interfere with any existing programs as long as it is separate from the existing formatted information.
The simplest way to present the information might be to just output the contents of all public host keys. For example:
cat /etc/ssh/ssh_host_*_key.pub
The client system would query the console output, select one of these ssh host keys, and add it to known_hosts, prepended by the IP address and/or hostnames that it wishes to use to connect to the instance.
Here's an example of what this might look like in the console output:
-----BEGIN PUBLIC SSH HOST KEYS-----
ssh-dss AAAAB3NzaC1kc3MAAACBAOx12z6/snxt5HWbRZNmvs/hH+5EXsLLKR4XnyH56EQFNmpxGy3O5qBNvNpt4GejLmFR6TJdMANwFhkOfUkLcotTpgm+z3nA4wFUZt23o2CjYvqHSx5pOON390XM6xHhXzlGlkip5XUVM4flNhwQNAvt+9bo3//OTtXEZ1ZZ2M8bAAAAFQDiJIlHJxNS2jOsiHIsm5g3Vl5JuwAAAIEAiZXdnPnupHa5EvqAmaa0Gdzqp1mcRm7a/ovQ/Oko/IByF0OqAEZtb3VevUOoC1HFBoYfcP1kRKdey/W7TyLJPYWt/ZuMdNmZSuPZt7U99WkRt+sGfOlTc2PnxbKzbC+dqcBpuVvjy7AJEngucUJ8lykrpR30Fo538KkSHcITf+QAAACBAONcYr7hoksk3BhtvxFKjXoqcwBiDxAuj+aq90oWsenWfStuOO84eg1tJhZNp0VFv9mICevICoY4P+3ZjD7SvTdq5Xk3Uw4wabgFE4rBwS4XrZMA9+O9/S8+b20h+pQSbfwZIZiULTjBP2I89acPExhmrApSpZ+ByqB3HvnKawG+ root@ip-10-32-30-193
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0I3L8UiDoF4LkzpJNHBDM2w9JFE6CbvmAQgW6+czbDOwvrFxQU2rw2HLLUOn+Z2WCE5AJSY7E7pxCrDo1v27hkVgaM6KqWks74vYxIkqfGCyf31y1N8QrmVCsAC74KFp9rhwP0uHmrN8XUIYFik8MoNphf+2aKWieJdZtzQGQ22mNNKDkP1yX3Uvb1QI+8d770dcIqr61AwkUBQgPgPyeii8W7r2+nq1lNQEnYts0N+13+40lEShnrRtsdKY6diEVs2uQId7VWw04lXOzWGi8oSWlunDWyRCQPtfvBFQtJ8AsivyZjmBuN9VJSDHLY1EQhXayygKfi6u6GKFVLZmd root@ip-10-32-30-193
-----END PUBLIC SSH HOST KEYS-----
And here's an example of what the client system might add to known_hosts:
50.16.12.209,ec2-50-16-12-209.compute-1.amazonaws.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
or with hashing:
|1|q0CnRd/EVpfAXEVMAi7fqx0lFaI=|8BrFOu2+GGRMKDS+1WiVG8xpwt0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD3aGodGnmPfXEWBRKKVW/zkKP+vC/HPBmNg87gcLLx+WwT7UQgKxsZXVWhccs2BEwbvik/dlfcQX1Zby0ZSYgQ= root@ip-10-32-30-193
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: cloud-init 0.6.1-0ubuntu22
ProcVersionSignature: User Name 3.0.0-12.20-virtual 3.0.4
Uname: Linux 3.0.0-12-virtual i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Tue Nov 22 00:12:40 2011
Ec2AMI: ami-a7f539ce
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1a
Ec2InstanceType: m1.small
Ec2Kernel: aki-805ea7e9
Ec2Ramdisk: unavailable
PackageArchitecture: all
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: cloud-init
UpgradeStatus: No upgrade log present (probably fresh install) |
|