On 2012-08-31 15:38, Sandra Schlichting wrote:
Err, no. In a well-maintained environment, it should never be necessary
to manually approve a host key.
I would prefer that too.
Usually you should always distribute all host keys to all clients with
one of the common @@ssh_key Export/Collect patterns. That is totally
unrelated to authentication though.
Can it be done without introducing a database?
I would really like not introduce a database to my puppet master.
As John said, some kind of store'll be unavoidable. If you're concerned
about performance, puppetdb seems the way to go. I've had awesome
results compared to classic storeconfig.
If you're generally ill-disposed re RDBMS on your puppetmaster, you'll
probably go best by generating all keys on the master and push the
processed files from there to the nodes. For one site, I've whipped up
that solution in a few hours, complete with puppet integration: a
puppet/ruby function checks whether the key is already available or
needs to be created, another function creates the know_hosts.
The downside of the second method is that you collect all your private
keys on the puppet master. Not that that would make any difference in
case of a break-in on your puppetmaster...
Best Regards, David
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.