New Supermarket Announcements!

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the supermarket mailing list.

Select Supported Platforms


ssh_known_hosts (18) Versions 2.0.0

Dyanmically generates /etc/ssh/known_hosts based on search indexes

cookbook 'ssh_known_hosts', '~> 2.0.0'
cookbook 'ssh_known_hosts', '~> 2.0.0'
knife cookbook site install ssh_known_hosts
knife cookbook site download ssh_known_hosts

ssh_known_hosts Cookbook

The Chef ssh_known_hosts cookbook exposes resource and default recipe for adding hosts and keys to the /etc/ssh/ssh_known_hosts file.

  • The default recipe builds /etc/ssh/ssh_known_hosts based either on search indexes using rsa,dsa key types and ohai data or, when ['ssh_known_hosts']['use_data_bag_cache'] is true, on the contents of a data bag that is maintained by the cacher recipe running on a worker node.
  • The cacher recipe builds and maintains a data bag based on search indexes using rsa,dsa key types and ohai data.
  • The LWRP provides a way to add custom entries in your own recipes.

You can also optionally put other host keys in a data bag called "ssh_known_hosts". See below for details.


Should work on any operating system that supports /etc/ssh/ssh_known_hosts.

The Opscode partial_search cookbook is required for the default recipe, as well as a Chef Server that supports partial search:

  • Opscode Hosted Chef
  • Opscode Private Chef
  • Open Source Chef Server 11



Use the LWRP ssh_known_hosts_entry to append an entry for the specified host in /etc/ssh/ssh_known_hosts. For example:

ssh_known_hosts_entry ''

This will append an entry in /etc/ssh/ssh_known_hosts like this:

# SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1+github8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

You can optionally specify your own key, if you don't want to use ssh-keyscan:

ssh_known_hosts_entry '' do
  key ' ssh-rsa ...'


Use the cacher recipe on a single "worker" node somewhere in your cluster to maintain a data bag (server_data/known_hosts by default) containing all of your nodes host keys. The advantage to this approach is that is much faster than running a search of all nodes, and substantially lightens the load on locally hosted Chef servers. The drawback is that the data is slightly delayed (because the cacher worker must converge first).

To use the cacher, simply include the ssh_known_hosts::cacher cookbook in a wrapper cookbook or run list on a designated worker node.


The following attributes are set on a per-platform basis, see the attributes/default.rb.

  • node['ssh_known_hosts']['file'] - Sets up the location of the ssh_known_hosts file for the system. Defaults to '/etc/ssh/ssh_known_hosts'
  • node['ssh_known_hosts']['key_type'] - Determines which key type ssh-keyscan will use to determine the host key, different systems will have different available key types, check your manpage for available key types for ssh-keyscan. Defaults to 'rsa,dsa'
  • node['ssh_known_hosts']['use_data_bag_cache'] - Use the data bag maintained by the cacher server to build /etc/ssh/ssh_known_hosts instead of a direct search (requires that a node be set up to run the cacher recipe regularly).
  • node['ssh_known_hosts']['cacher']['data_bag']/node['ssh_known_hosts']['cacher']['data_bag_item'] - Data bag where cacher recipe should store its keys.

LWRP Attributes

<table> <thead> <tr> <th>Attribute</th> <th>Description</th> <th>Example</th> <th>Default</th> </tr> </thead>

<tbody> <tr> <td>host</td> <td>the host to add</td> <td><tt></tt></td> <td></td> </tr> <tr> <td>key</td> <td>(optional) provide your own key</td> <td><tt>ssh-rsa ...</tt></td> <td><tt>ssh-keyscan -H #{host}</tt></td> </tr> <tr> <td>port</td> <td>(optional) the server port that ssh-keyscan will use to gather the public key</td> <td><tt>2222</tt></td> <td><tt>22</tt></td> </tr> </tbody> </table>

Default Recipe

Searches the Chef Server for all hosts that have SSH host keys using rsa,dsa key types and generates an /etc/ssh/ssh_known_hosts.

Adding custom host keys

There are two ways to add custom host keys. You can either use the provided LWRP (see above), or by creating a data bag called "ssh_known_hosts" and adding an item for each host:

  "id": "github",
  "fqdn": "",
  "rsa": "github-rsa-host-key"

There are additional optional values you may use in the data bag:

<table> <thead> <tr> <th>Attribute</th> <th>Description</th> <th>Example</th> <th>Default</th> </tr> </thead>

<tbody> <tr> <td>id</td> <td>a unique id for this data bag entry</td> <td><tt>github</tt></td> <td></td> </tr> <tr> <td>fqdn</td> <td>the fqdn of the host</td> <td><tt></tt></td> <td></td> </tr> <tr> <td>rsa</td> <td>the rsa key for this server</td> <td><tt>ssh-rsa AAAAB3...</tt></td> <td></td> </tr> <tr> <td>ipaddress</td> <td>the ipaddress of the node (if fqdn is missing)</td> <td><tt></tt></td> <td></td> </tr> <tr> <td>hostname</td> <td>local hostname of the server (if not a fqdn)</td> <td><tt>myserver.local</tt></td> <td></td> </tr> <tr> <td>dsa</td> <td>the dsa key for this server</td> <td><tt>ssh-dsa ABAAC3...</tt></td> <td></td> </tr> </tbody> </table>

ChefSpec matchers

A custom matcher is available for you to use in recipe tests.

describe 'my_cookbook::my_recipe' do
    let(:chef_run) { }
    it { expect(chef_run).to append_to_ssh_known_hosts '' }

License and Authors

Copyright:: 2011-2013, Opscode, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

partial_search >= 0.0.0

Contingent cookbooks

builder Applicable Versions
config-driven-helper Applicable Versions
eucalyptus Applicable Versions
git_user Applicable Versions
github_connector Applicable Versions
github_users Applicable Versions
gitolite-server Applicable Versions
hadoop_for_hbase Applicable Versions
jenkins_drupal Applicable Versions
nodestack Applicable Versions
prun-cfg Applicable Versions
rdiff-backup Applicable Versions
resin Applicable Versions

v2.0.0 (2014-12-02)

  • [#36] Fix the way keys are rendered
  • [#22] Update to README
  • [#32] Clean up logging
  • [#23] Do not hash public keys
  • [#34] Serverspec updates
  • [#28] Add data bag caching option
  • [#20] Add checspec matchers
  • [#33] Add test to verify chefspec matcher

v1.3.2 (2014-04-23)

  • [COOK-4579] - Do not use ssh-keyscan stderr

v1.3.0 (2014-04-09)

  • [COOK-4489] Updated ssh-keyscan to include -t type

v1.2.0 (2014-02-18)


  • COOK-3453 - ssh_known_hosts cookbook ruby block executes on every chef run


[COOK-3765] - support ssh-keyscan using an alternative port number



  • COOK-3113 - Use empty string when result is nil


This is a major release because it requires a server that supports the partial search feature.

  • Opscode Hosted Chef
  • Opscode Private Chef
  • Open Source Chef 11


  • [COOK-830]: uses an inordinate amount of RAM when running exception handlers


  • [COOK-2440] - ssh_known_hosts fails to use data bag entries, doesn't grab items


  • [COOK-2364] - Wrong LWRP name used in recipe


  • [COOK-2320] - Merge known_host LWRP into ssh_known_hosts


  • [COOK-2268] - Allow to run with chef-solo


  • [COOK-1077] - allow adding arbitrary host keys from a data bag


  • COOK-493: include fqdn
  • COOK-721: corrected permissions
FC002: Avoid string interpolation where not required: /tmp/cook/903d1a705a8392c85180ea4e/ssh_known_hosts/recipes/cacher.rb:30
FC002: Avoid string interpolation where not required: /tmp/cook/903d1a705a8392c85180ea4e/ssh_known_hosts/recipes/cacher.rb:40
FC031: Cookbook without metadata file: /tmp/cook/903d1a705a8392c85180ea4e/ssh_known_hosts/metadata.rb:1
FC045: Consider setting cookbook name in metadata: /tmp/cook/903d1a705a8392c85180ea4e/ssh_known_hosts/metadata.rb:1
FC048: Prefer Mixlib::ShellOut: /tmp/cook/903d1a705a8392c85180ea4e/ssh_known_hosts/providers/entry.rb:40