Here's the solution I eventually came up with:
Using the public keys maintained by Cfengine in /var/cfengine/dist/,
I'm generating a list of all hosts as such:
for ip in `ls /var/cfengine/ppkeys/*.pub | grep 10. | cut -d- -f 2 | \
awk -F. '{ OFS="."; print $1,$2,$3,$4 }'`; do
host ${ip} | awk '{print $NF}' | cut -d. -f 1 >> \
/var/cfengine/master/all_hosts.new
done
(Note that I'm hardly an awk-fu master, so this is probably very
kludgy. It also works, which is what I'm after.)
After that, I run the following command to collect keys:
/usr/bin/ssh-keyscan -t rsa -f /var/cfengine/masterfiles/all_hosts \
2>/dev/null > /var/cfengine/masterfiles/ssh_known_keys
I can then distribute the ssh_known_keys file automatically.
I've added those two bits to a script that runs nightly. Since I've
got TrustKeysFrom turned on in Cfengine, making a machine a Cfengine
client automatically adds its key to ppkeys/, and thence to my host
list. I can also redistribute this host list to other machines that
might need it.
Thanks for everyone's help!
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
On Wed, 10 May 2006, Jason Martin wrote:
>On Wed, May 10, 2006 at 04:32:47PM -0500, Brendan Strejcek wrote:
>> > Possible alternatives would be for the cfagent script to contain some
>> > other method of distribution. A web server on the central server and
>> > having the cfagents do 'HTTP PUT' would likely work, for instance. scp
>> > with restricted shell perhaps.
>> I like ssh command key services.
>I'd suggest a script that does a HTTP POST to a CGI that puts
>the key in the proper place, or if the data is sensitive then do
>it over https or ssh w/forced commands. The CGI would then be
>responsible for publishing the key to the appropriate place for
>cfe to pick it up. The trick with ssh w/forced commands is
>distributing the ssh key to allow the user to log in.
>
>-Jason Martin
>
>--
>Useless Invention: Waterproof sponge.
>This message is PGP/MIME signed.
>
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
http://cfengine.org/mailman/listinfo/help-cfengine
