On 2012-08-31 15:38, Sandra Schlichting wrote:
Err, no. In a well-maintained environment, it should never be necessary to manually approve a host key.I would prefer that too. Usually you should always distribute all host keys to all clients with one of the common @@ssh_key Export/Collect patterns. That is totally unrelated to authentication though. Can it be done without introducing a database? I would really like not introduce a database to my puppet master.
As John said, some kind of store'll be unavoidable. If you're concerned about performance, puppetdb seems the way to go. I've had awesome results compared to classic storeconfig.
If you're generally ill-disposed re RDBMS on your puppetmaster, you'll probably go best by generating all keys on the master and push the processed files from there to the nodes. For one site, I've whipped up that solution in a few hours, complete with puppet integration: a puppet/ruby function checks whether the key is already available or needs to be created, another function creates the know_hosts.
The downside of the second method is that you collect all your private keys on the puppet master. Not that that would make any difference in case of a break-in on your puppetmaster...
Best Regards, David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
