Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

ssh_known_hosts (35) Versions 6.0.0

Dyanmically generates /etc/ssh/ssh_known_hosts based on search indexes

Policyfile
Berkshelf
Knife
cookbook 'ssh_known_hosts', '= 6.0.0', :supermarket
cookbook 'ssh_known_hosts', '= 6.0.0'
knife supermarket install ssh_known_hosts
knife supermarket download ssh_known_hosts
README
Dependencies
Changelog
Quality 100%

ssh_known_hosts Cookbook

Build Status Cookbook Version

The Chef ssh_known_hosts cookbook exposes a resource as well as a recipe for adding hosts and keys to the /etc/ssh/ssh_known_hosts file, the global file for public keys on known hosts.

  • The default recipe builds /etc/ssh/ssh_known_hosts based either on search indexes using rsa,dsa key types and ohai data or, when ['ssh_known_hosts']['use_data_bag_cache'] is true, on the contents of a data bag that is maintained by the cacher recipe running on a worker node.
  • The cacher recipe builds and maintains a data bag based on search indexes using rsa,dsa key types and ohai data.
  • The resource provides a way to add custom entries in your own recipes.

You can also optionally put other host keys in a data bag called "ssh_known_hosts". See below for details.

Requirements

Platforms

  • Any operating system that supports /etc/ssh/ssh_known_hosts.

Chef

  • 12.11+

Resource

ssh_known_hosts_entry

Use the ssh_known_hosts_entry resource to append an entry for the specified host in /etc/ssh/ssh_known_hosts. For example:

Actions

  • :create - Create an entry (default)
  • :flush - Immediately flush the entries to the config file (see example below)

Properties

Property Description Example Default
host the host to add github.com
key (optional) provide your own key ssh-rsa ... ssh-keyscan -H #{host}
port (optional) the server port that ssh-keyscan will use to gater the public key 2222 22
timeout (optional) limit the length of time ssh-keyscan will run for (seconds) 90 30
mode (optional) set the mode explicitly on the /etc/ssh/ssh_known_hosts file '0644' '0644'
owner (optional) set the owner explicitly on the /etc/ssh/ssh_known_hosts file 'root' 'root'
group (optional) set the group explicitly on the /etc/ssh/ssh_known_hosts file 'wheel' 'root'

Examples

Add a single entry for github.com:

ssh_known_hosts_entry 'github.com'

This will append an entry in /etc/ssh/ssh_known_hosts like this:

# github.com SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze1+github8
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

You can optionally specify your own key, if you don't want to use ssh-keyscan:

ssh_known_hosts_entry 'github.com' do
  key 'node.example.com ssh-rsa ...'
end

The latest design of this cookbook only writes the /etc/ssh/ssh_known_hosts file at the very end of the chef-client run. In order to force it to update the template earlier use the :flush action:

ssh_known_hosts_entry "doesn't matter" do
  action :flush
end

The user is responsible for only calling the flush action at the end of constructing their entries. Calling it first is illegal, calling it in the middle will result with partial content written to disk and chef-client will always show at least two resources being updated (and flapping).

Recipes

Cacher

Use the cacher recipe on a single "worker" node somewhere in your cluster to maintain a data bag (server_data/known_hosts by default) containing all of your nodes host keys. The advantage to this approach is that is much faster than running a search of all nodes, and substantially lightens the load on locally hosted Chef servers. The drawback is that the data is slightly delayed (because the cacher worker must converge first).

To use the cacher, simply include the ssh_known_hosts::cacher cookbook in a wrapper cookbook or run list on a designated worker node.

Default Recipe

Searches the Chef Server for all hosts that have SSH host keys using rsa,dsa key types and generates an /etc/ssh/ssh_known_hosts.

Adding custom host keys

There are two ways to add custom host keys. You can either use the resource (see above), or by creating a data bag called "ssh_known_hosts" and adding an item for each host:

{
  "id": "github",
  "fqdn": "github.com",
  "rsa": "github-rsa-host-key"
}

There are additional optional values you may use in the data bag:

Attribute Description Example
id a unique id for this data bag entry github
fqdn the fqdn of the host github.com
rsa the rsa key for this server ssh-rsa AAAAB3...
ipaddress the ipaddress of the node (if fqdn is not supplied) 1.1.1.1
hostname local hostname of the server (if not a fqdn) myserver.local
dsa the dsa key for this server ssh-dsa ABAAC3...

Attributes

The following attributes are set on a per-platform basis, see the attributes/default.rb.

  • node['ssh_known_hosts']['file'] - Sets up the location of the ssh_known_hosts file for the system. Defaults to '/etc/ssh/ssh_known_hosts'
  • node['ssh_known_hosts']['key_type'] - Determines which key type ssh-keyscan will use to determine the host key, different systems will have different available key types, check your manpage for available key types for ssh-keyscan. Defaults to 'rsa,dsa'
  • node['ssh_known_hosts']['use_data_bag_cache'] - Use the data bag maintained by the cacher server to build /etc/ssh/ssh_known_hosts instead of a direct search (requires that a node be set up to run the cacher recipe regularly).
  • node['ssh_known_hosts']['cacher']['data_bag']/node['ssh_known_hosts']['cacher']['data_bag_item'] - Data bag where cacher recipe should store its keys.

License & Authors

Author: Cookbook Engineering Team (cookbooks@chef.io)

Copyright: 2008-2018, Chef Software, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

builder Applicable Versions
config-driven-helper Applicable Versions
deploy-context Applicable Versions
deploy-user Applicable Versions
eucalyptus Applicable Versions
git_user Applicable Versions
github_connector Applicable Versions
github_users Applicable Versions
gitolite-server Applicable Versions
hadoop_for_hbase Applicable Versions
jenkins_drupal Applicable Versions
nodestack Applicable Versions
prun-cfg Applicable Versions
rdiff-backup Applicable Versions
resin Applicable Versions
stack-base Applicable Versions

ssh_known_hosts CHANGELOG

This file is used to list changes made in each version of the ssh_known_hosts cookbook.

6.0.0 (2018-04-16)

  • add a :flush action to ssh_known_hosts_entry which immediatly writes the file to disk. See the readme for an example of how to use this
  • Remove action_class.class_eval and just use action_class instead
  • Increase the required Chef release to 12.11 for some of the accumulator functionality we use now
  • Improve testing
  • Improve the docs for the resource

5.2.1 (2017-05-30)

  • Resolve foodcritic warnings

5.2.0 (2017-05-30)

  • Update apache2 license string
  • Add supports metadata
  • Remove class_eval usage and require Chef 12.7+

5.1.0 (2017-03-14)

  • add support for hashed entries when using keyscan
  • Test with Local Delivery instead of Rake
  • add a "deprecated" recipe for back-compat-ish behavior

5.0.0 (2017-02-23)

  • Require Chef 12.5+ and remove compat_resource dependency

4.1.1 (2017-01-06)

  • Do not write port number if it is 22

4.1.0 (2016-12-29)

  • Convert entry LWRP to a custom_resource with a delayed accumulator pattern
  • Resolve sort ordering issues
  • Fix for non-port-22 issues
  • Add helper correctly in the recipe DSL

4.0.0 (2016-09-07)

  • Require chef 12+
  • Testing updates
  • Remove chef 10 compatibility code

v3.1.0 (2016-07-18)

  • [#59] adds mode, owner, group attributes to the entry resource

v3.0.1 (2016-07-15)

  • [#58] Fix issues brought in with v3.0.0 with ssh-keyscan
  • [#58] Add timeout parameter to entry resource associated with ssh-keyscan
  • [#58] Cleaned up some extraneous old chef-solo code

v3.0.0 (2016-07-14)

  • [#55] Remove deprecated cookbook dependency on partial_search making cookbook Chef 12+ only

v2.1.0 (2016-07-13)

  • [#51] Add support for ECDSA and ED25519 keys josacar
  • [#42] Check for nil FQDN realloc

v2.0.0 (2014-12-02)

  • [#36] Fix the way keys are rendered
  • [#22] Update to README
  • [#32] Clean up logging
  • [#23] Do not hash public keys
  • [#34] Serverspec updates
  • [#28] Add data bag caching option
  • [#20] Add checspec matchers
  • [#33] Add test to verify chefspec matcher

v1.3.2 (2014-04-23)

  • [COOK-4579] - Do not use ssh-keyscan stderr

v1.3.0 (2014-04-09)

  • [COOK-4489] Updated ssh-keyscan to include -t type

v1.2.0 (2014-02-18)

Bug

  • COOK-3453 - ssh_known_hosts cookbook ruby block executes on every chef run

v1.1.0

[COOK-3765] - support ssh-keyscan using an alternative port number

v1.0.2

Bug

  • COOK-3113 - Use empty string when result is nil

v1.0.0

This is a major release because it requires a server that supports the partial search feature.

  • Chef Software Hosted Chef
  • Chef Software Private Chef
  • Open Source Chef 11

Improvement

  • [COOK-830]: uses an inordinate amount of RAM when running exception handlers

v0.7.4

  • [COOK-2440] - ssh_known_hosts fails to use data bag entries, doesn't grab items

v0.7.2

  • [COOK-2364] - Wrong LWRP name used in recipe

v0.7.0

  • [COOK-2320] - Merge known_host LWRP into ssh_known_hosts

v0.6.0

  • [COOK-2268] - Allow to run with chef-solo

v0.5.0

  • [COOK-1077] - allow adding arbitrary host keys from a data bag

v0.4.0

  • COOK-493: include fqdn
  • COOK-721: corrected permissions

Collaborator Number Metric
            

6.0.0 passed this metric

Contributing File Metric
            

6.0.0 passed this metric

Foodcritic Metric
            

6.0.0 passed this metric

License Metric
            

6.0.0 passed this metric

No Binaries Metric
            

6.0.0 passed this metric

Testing File Metric
            

6.0.0 passed this metric

Version Tag Metric
            

6.0.0 passed this metric