output public ssh host keys to console on boot (LP: #893400)

Currently cloud-init writes something like this to console output: ec2: ############################################################# ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- ec2: 2048 78:ae:f3:91:04:6f:8d:ee:ef:e1:2d:72:83:6a:d0:82 root@h (RSA) ec2: 1024 d3:b6:32:64:22:d4:43:05:f9:25:b4:f3:65:4e:e2:51 root@h (DSA) ec2: -----END SSH HOST KEY FINGERPRINTS----- ec2: ############################################################# the key fingerprints are useful for humans to read, but not so useful for machines, as you cannot populate a KnownHostsFile (~/.ssh/known_hosts) from the data there. This change adds output like: -----BEGIN SSH HOST KEY KEYS----- ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH......STI= root@h ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYRIQe6m......tWF3 root@h -----END SSH HOST KEY KEYS----- Those lines can easily be grabbed and appended to a known_hosts file.
2011-12-20 00:13:07 -05:00 · 2011-12-20 00:13:07 -05:00 · efda2350a9
parent 2f9ca924c1
commit efda2350a9
3 changed files with 30 additions and 2 deletions
--- a/cloudinit/CloudConfig/cc_keys_to_console.py
+++ b/cloudinit/CloudConfig/cc_keys_to_console.py
@ -16,15 +16,20 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from cloudinit.CloudConfig import per_instance
+import cloudinit.util as util
 import subprocess

 frequency = per_instance

 def handle(name,cfg,cloud,log,args):
-    write_ssh_prog='/usr/lib/cloud-init/write-ssh-key-fingerprints'
+    cmd = [ '/usr/lib/cloud-init/write-ssh-key-fingerprints' ]
+    fp_blacklist = util.get_cfg_option_list_or_str(cfg, "ssh_fp_console_blacklist", [])
+    key_blacklist = util.get_cfg_option_list_or_str(cfg, "ssh_key_console_blacklist", ["ssh-dss"])
    try:
        confp = open('/dev/console',"wb")
-        subprocess.call(write_ssh_prog,stdout=confp)
+        cmd.append(','.join(fp_blacklist))
+        cmd.append(','.join(key_blacklist))
+        subprocess.call(cmd, stdout=confp)
        confp.close()
    except:
        log.warn("writing keys to console value")
--- a/doc/examples/cloud-config.txt
+++ b/doc/examples/cloud-config.txt
@ -546,3 +546,10 @@ manual_cache_clean: False
 # ssh_genkeytypes: ['rsa', 'dsa', 'ecdsa']
 #    a list of the ssh key types that should be generated
 #    These are passed to 'ssh-keygen -t'
+
+## configuration of ssh keys output to console
+# ssh_fp_console_blacklist: []
+# ssh_key_console_blacklist: [ssh-dss]
+#   A list of key types (first token of a /etc/ssh/ssh_key_*.pub file)
+#   that should be skipped when outputting key fingerprints and keys
+#   to the console respectively.
--- a/tools/write-ssh-key-fingerprints
+++ b/tools/write-ssh-key-fingerprints
@ -1,12 +1,28 @@
 #!/bin/sh
+fp_blist=",${1},"
+key_blist=",${2},"
 {
 echo
 echo "#############################################################"
 echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----"
 for f in /etc/ssh/ssh_host_*key.pub; do
    [ -f "$f" ] || continue
+    read ktype line < "$f"
+    # skip the key if its type is in the blacklist
+    [ "${fp_blist#*,$ktype,}" = "${fp_blist}" ] || continue
    ssh-keygen -l -f "$f"
 done
 echo "-----END SSH HOST KEY FINGERPRINTS-----"
 echo "#############################################################"
+
 } | logger -p user.info -s -t "ec2"
+
+echo -----BEGIN SSH HOST KEY KEYS-----
+for f in /etc/ssh/ssh_host_*key.pub; do
+    [ -f "$f" ] || continue
+    read ktype line < "$f"
+    # skip the key if its type is in the blacklist
+    [ "${key_blist#*,$ktype,}" = "${key_blist}" ] || continue
+    cat $f
+done
+echo -----END SSH HOST KEY KEYS-----