Using ssh key scan in a chef recipe

Question

I want to create known_host file in my chef recipe , I am trying to use something like this:

file "/home/xxx/.ssh/known_hosts" do
    owner   xxx
    group   xxx
   content lazy {`ssh-keyscan localhost #{node[:hostname]}`}
end

Please let me know if this is a right way to create known_host file or can we use any better way to achieve the same.

Answer 1

A few things to add to Tejay's correct response that you should probably use the existing ssh cookbook.

If you are only looking for the key on localhost, ohai already loads it for you in node['keys']['ssh']. Because of this you can also use Chef's search() to bather host keys from other nodes.

I would avoid using backticks for running commands like that, it doesn't have great handling for things like error, complex encoding changes, and all kinds of other things. Chef provides a helper in the form of shell_out! that can use via

content lazy { shell_out!('some command here').stdout }

Answer 2

Take a look at the ssh cookbook on supermarket. It has a provider for the known_hosts file, which can use keyscan for you, and also allows you to add new entries without killing existing entries (As you approach would do). It's also well tested and has been used by many people for several years.

Answer 3

There are really only two solutions:

Yours which seems to be a good solution, perhaps make a provider cookbook for it to clean it up.

---

Secondly, you can just add the following option to any ssh call you make:

ssh -o StrictHostKeyChecking=no

---

I'm not completely convinced one is "better" than the other. Just two different approaches to solve the same issue.