3

This is a question that may be easier answered on askubuntu or, perhaps, serverfault, but it arises in the context of automated provisioning, so I figured that it's more appropriate here.

I am spinning up a multi-machine environment in vagrant, e.g. n+1 ubuntu-18.04 boxes, namely

  • term (short for terminal)
  • node1
  • ...
  • nodeN

They can all resolve each other by the above hostnames. It's necessary, that term can SSH into each of the nodes using its public key.

Manually I can do this with the following script:

#!/bin/bash

head='node'

ssh-keygen -N '' -f ~/.ssh/id_rsa

for ((i=1; i<=$1; i++)); do
  name=$head
  name+=$i
  ssh-copy-id $name
done

running, e.g., ./copyid.sh 3. But then I have to type yes (to confirm the fingerprint of the node) and vagrant (the password) three times.

I want to move this procedure to the provisioning of the VMs in the Vagrantfile. So I have two questions:

  • How can this be automated without demanding manual input from myself?
  • When I transfer over from virtual machines to bare metal servers, what best practices should I follow to prevent infosec guys from screaming "man in the middle" at me?
LLlAMnYP
  • 285
  • 1
  • 9
  • 1
    This probably could help you: https://unix.stackexchange.com/questions/126908/get-ssh-server-key-fingerprint (running a keyscan on each host to add to your term's known_hosts before doing the ssh-copy-id) – Tensibai Nov 09 '18 at 14:53

1 Answers1

4

You have to execute ssh-keyscan. For example to ssh to a host (github.com here ) you have to run below script 

# Add ssh key to help cloning private github repo

ssh-keygen -t rsa -N "" -f secrets/ssh/github_rsa
PUB_KEY=$(cat secrets/ssh/github_rsa.pub)
PRV_KEY=$(cat secrets/ssh/github_rsa)

echo "${PRV_KEY}" >> ~/.ssh/github_rsa
chmod 600 ~/.ssh/github_rsa
eval $(ssh-agent)
ssh-add ~/.ssh/github_rsa

ssh-keyscan github.com >> ~/.ssh/known_hosts
echo IdentityFile ~/.ssh/github_rsa >> ~/.ssh/config

echo "Paste the following public key to your host machine ".${PUB_KEY}
SkyRar
  • 186
  • 7
  • Thanks, this works. A question, though. What (or rather, why) is being done in lines eval... thru echo IdentityFile... when it would seem that ssh-keyscan github.com >> ~/.ssh/known_hosts is sufficient? – LLlAMnYP Nov 11 '18 at 06:10
  • The default ssh keys stored in id_rsa and id_rsa.pub. Note the name 'id_rsa'. if you want to store those keys other than default name then you have to tell it to your ssh_agent. Though ssh-keyscan works in your case, I just gave a complete example incase you want to do the same from a CI server where you have to manually start ssh agent etc. However if that works don't forget to mark it as an answer. :) – SkyRar Nov 11 '18 at 07:43
  • Well, since noone else chimed in, I guess, I can accept this one. Thanks again! – LLlAMnYP Nov 11 '18 at 17:32