From 3d63a87384af6db50055a5b70535936d83733312 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Wed, 7 Feb 2024 12:23:28 -0500 Subject: [PATCH] kandra: Puppet github.com keys to both root and zulip users. We update to add the ecdsa-sha2-nistp256 key as well. --- puppet/kandra/files/github.keys | 3 +++ puppet/kandra/manifests/profile/base.pp | 2 ++ puppet/kandra/manifests/user_dotfiles.pp | 17 +++++++++++++---- tools/setup/bootstrap-aws-installer | 6 ++---- 4 files changed, 20 insertions(+), 8 deletions(-) create mode 100644 puppet/kandra/files/github.keys diff --git a/puppet/kandra/files/github.keys b/puppet/kandra/files/github.keys new file mode 100644 index 0000000000..f4c560e0e7 --- /dev/null +++ b/puppet/kandra/files/github.keys @@ -0,0 +1,3 @@ +github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl +github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= +github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= diff --git a/puppet/kandra/manifests/profile/base.pp b/puppet/kandra/manifests/profile/base.pp index 9705107cf3..40334c49ea 100644 --- a/puppet/kandra/manifests/profile/base.pp +++ b/puppet/kandra/manifests/profile/base.pp @@ -63,11 +63,13 @@ class kandra::profile::base { home => '/root', keys => 'internal-read-only-deploy-key', authorized_keys => 'common', + known_hosts => ['github.com'], } kandra::user_dotfiles { 'zulip': keys => 'internal-read-only-deploy-key', authorized_keys => 'common', + known_hosts => ['github.com'], } service { 'ssh': diff --git a/puppet/kandra/manifests/user_dotfiles.pp b/puppet/kandra/manifests/user_dotfiles.pp index 0f943e5a2d..064af19301 100644 --- a/puppet/kandra/manifests/user_dotfiles.pp +++ b/puppet/kandra/manifests/user_dotfiles.pp @@ -64,10 +64,19 @@ define kandra::user_dotfiles ( require => File["${homedir}/.ssh"], } $known_hosts.each |String $hostname| { - exec { "${user} ssh known_hosts ${hostname}": - command => "ssh-keyscan ${hostname} >> ${homedir}/.ssh/known_hosts", - unless => "grep ${hostname} ${homedir}/.ssh/known_hosts", - require => File["${homedir}/.ssh/known_hosts"], + if $hostname == 'github.com' { + $github_keys = file('kandra/github.keys') + exec { "${user} ssh known_hosts ${hostname}": + command => "echo '${github_keys}' >> ${homedir}/.ssh/known_hosts", + unless => "grep ${hostname} ${homedir}/.ssh/known_hosts", + require => File["${homedir}/.ssh/known_hosts"], + } + } else { + exec { "${user} ssh known_hosts ${hostname}": + command => "ssh-keyscan ${hostname} >> ${homedir}/.ssh/known_hosts", + unless => "grep ${hostname} ${homedir}/.ssh/known_hosts", + require => File["${homedir}/.ssh/known_hosts"], + } } } } diff --git a/tools/setup/bootstrap-aws-installer b/tools/setup/bootstrap-aws-installer index 2f659af33a..3154817b81 100644 --- a/tools/setup/bootstrap-aws-installer +++ b/tools/setup/bootstrap-aws-installer @@ -63,10 +63,8 @@ INSTALL_SSH_KEYS="inline!puppet/kandra/files/install-ssh-keys" # Provide GitHub known_hosts setup; you can verify against fingerprints at # https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints # via `ssh-keygen -lf` -cat >/root/.ssh/known_hosts <>/root/.ssh/known_hosts cd /root git clone "$REPO_URL" zulip -b "$BRANCH"