If you use a system integration framework like chef or puppet there are some really neat ways of configuring your known-hosts files during convergence. For example, the ssh_known_hosts cookbook from opscode will automatically populate the ssh_known_hosts file with the information for all nodes in a particular environment (https://github.com/cookbooks/ssh_known_hosts). Of course this is only relevant if you are using one of those tools ...
What I really want is decent PKI for ssh host keys so I can verify a key once, sign it, and have it respected by all other users/machines without further intervention.
I may try out MonkeySphere, anybody already use it?
Edit to add: MonkeySphere doesn't support options in authorized_keys, which is a bummer.
6 comments
[ 4.1 ms ] story [ 17.0 ms ] threadThat way, OpenSSH will automate fingerprint verification by looking it up in the DNS.
If you have DNSSEC set up and you run the following command:
You'll notice that it doesn't ask you to verify the fingerprint.I may try out MonkeySphere, anybody already use it?
Edit to add: MonkeySphere doesn't support options in authorized_keys, which is a bummer.