search

saltstack-formulas / openssh-formula

http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
Other
90 stars 297 forks source link

[BUG] Aliases in known_hosts not picked up #202

Closed pckroon closed 7 months ago

pckroon commented 2 years ago

Your setup

Formula commit hash / release tag

ba2f3c9fe323adc5047e15eefbfb997477534627 (current master)

Versions reports (master & minion)

Salt Version:
          Salt: 3003.3

Dependency Versions:
          cffi: Not Installed
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: 4.0.5
     gitpython: 3.1.14
        Jinja2: 2.11.3
       libgit2: 1.1.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.0
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.9.7
        pygit2: 1.4.0
        Python: 3.9.2 (default, Feb 28 2021, 17:03:44)
  python-gnupg: Not Installed
        PyYAML: 5.3.1
         PyZMQ: 20.0.0
         smmap: 4.0.0
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4

System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-8-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Pillar / config used

pillar.sls

openssh:
  client_version: latest
  known_hosts:
    aliases:
      - rohan.example.com
      - rohan

    hostnames: '*'
    include_localhost: true
    static:
      rohan2018.example.com:       'ssh-ed25519 <key>'

Bug details

Describe the bug

Both rohan.example.com and rohan are aliases for rohan2018.example.com (and rohan2018). However, in the known_hosts file generated only rohan2018.example.com, rohan2018, its IP, and rohan.example.com are listed. Notably, rohan is missing.

DNS is working in all directions:

Any help/advise is welcome :)

(It's also slightly tedious to have to list both rohan and rohan.example.com as aliases with hostnames: '*', but meh. That's a separate issue.)

EDIT with update: removing rohan.example.com does'nt cause rohan to get added. So the issue seems not to be having multiple aliases for a host, but rather not using the DNS SEARCH for aliases

pckroon commented 2 years ago

The main issue is that salt.module.dig.A (and AAAA, but I'm ignoring ipv6 for now) doesn't allow passing more options (such as domain). See https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.dig.html#salt.modules.dig.A.

I worked around it for now by creating the following module (in /srv/salt/_modules/) called dig_plus.py:

import six

def A(host, nameserver=None, **dig_options):
    dig = ['dig', '+short', six.text_type(host), 'A']
    if nameserver is not None:
        dig.append('@{}'.format(nameserver))
    for name, value in dig_options.items():
        if not name.startswith('_'):
            #TODO: quote value?
            dig.append('+{}={}'.format(name, value))
    cmd = __salt__['cmd.run_all'](dig, python_shell=False)
    if cmd['retcode'] != 0:
        log.warning("dig returned exit code '%s'. Returning empty list as fallback",
                    cmd['retcode'])
        return []
    return [ip for ip in cmd['stdout'].split('\n') if __salt__['dig.check_ip'](ip)]

This is heavily based on the salt.modules.dig.A code. All I added is the dig_options. This way, you can do dig_plus.A(rohan, domain='example.com)'. Using this in openssh-formula/openssh/files/default/ssh_known_hosts:

...
{%- for alias in aliases -%}
  {%- for ip in salt['dig_plus.A'](alias, domain=use_hostnames) + salt['dig.AAAA'](alias) -%}
    {%- do aliases_ips.setdefault(ip, []).append(alias) -%}
  {%- endfor -%}
{%- endfor -%}
...

pillar.sls

openssh:
  known_hosts:
    hostnames: 'example.com'
    ...
alxwr commented 7 months ago

Thanks for taking the time to post this issue!

This config works at least on my machines:

/etc/ssh/ssh_known_hosts:

host.domain.tld,1.2.3.4 ssh-ed25519 AAAAC...

/etc/resolv.conf:

search domain.tld

ssh root@host just works without any known hosts issue.

The proposed change does not solve a problem. (Just my point of view. Maybe I miss something.) Additionally we'd introduce a higher chance of collision caused by identical host names in different domains.

Adding something like dig_plus would essentially mean writing a patch for Salt itself. This is out-of-scope for this formula.

I'll therefore close this issue. Feel free to re-open it in case you think I missed something important. :-)