search

chef-cookbooks / ssh_known_hosts

Development repository for Chef Cookbook ssh_known_hosts
https://supermarket.chef.io/cookbooks/ssh_known_hosts
Apache License 2.0
72 stars 77 forks source link

Do not hash public keys #23

Closed chr4 closed 9 years ago

chr4 commented 10 years ago

Hashes are different on each ssh-keyscan run, therefore filling up /etc/ssh/ssh_known hosts

An alternative would be, to only check for duplicate keys (not comments), but this would result in problems for hosts with multiple hostnames/ips.

pniederlag commented 10 years ago

this is a real show-stopper that should be improved/fixed.

chr4 commented 10 years ago

Any news on this, dear Opscode? This should be affecting tons of users.

hulu1522 commented 10 years ago

For those of you having an issue, the only way I could figure out to stop this was to use a "not_if" guard with the resource.

ssh_known_hosts_entry 'some.domain.com' do
  not_if "a=$(ssh-keyscan -H -t rsa some.domain.com | grep -Po '(AAAA.*)'); grep $a #{node['ssh_known_hosts']['file']}"
end

As long as that DNS name is reachable it will scan for the key and then check the file for the key. This is what worked for me but may not work for you. I figured I would post it anyways.