Editing SSH Host Key Management (section)

== Propagating 'known_hosts' ==

Whenever a new system is added to the environment, its hostname and all its IP addresses must be added to the master '''hosts''' file.  Each system should (either automatically or on-demand) retrieve the '''hosts''' and '''known_hosts''' file using commands such as:

 curl -s http://config/config/ssh/known_hosts -o $HOME/.ssh/known_hosts
 sudo curl -s http://config/config/ssh/known_hosts -o /root/.ssh/known_hosts
 sudo curl -s http://config/config/hosts -o /etc/hosts

When a system is rebuilt with new keys, that system will have issues until the new host keys propagate:  all systems will see that it has a new host key and SSH will not allow connections to be made.  Until the update job runs, individual '''known_hosts''' files can be updated, but the automated process will overwrite any changes the next time it runs.

The script below ('''host_check''') compares the known_hosts file used by the root account with the one on the config server using '''sha1sum''' so that the files are not excessively updated with an identical copy.  If a change is detected, both the '''known_hosts''' and '''hosts''' files are downloaded and installed.  This script should be copied into the '''cron.hourly''' directory so that updates occur relatively quickly when changes are made.

<pre>#!/bin/zsh -f
#
# check to see if we need to download new hosts and known_hosts files
REMOTE=`curl -s http://config/config/ssh/known_hosts.sum | cut -f 1 -d ' '`
LOCAL=`sha1sum /root/.ssh/known_hosts | cut -f 1 -d ' '`
if [[ $REMOTE != $LOCAL ]] ; then
    curl -s http://config/config/ssh/known_hosts -o /home/ewilliam/.ssh/known_hosts
    curl -s http://config/config/ssh/known_hosts -o /root/.ssh/known_hosts
    curl -s http://config/config/hosts -o /etc/hosts
fi</pre>