a public resource for all things web hosting, systems administration, and dedicated server management.

Advanced SSH management

You too can be an SSH guru through the following tips.

SSH public host key management

Simply add the following to your shell startup files (~/.zshrc, or ~/.bashrc) 

CFINPUTS_SSH=$HOME/work/svn/cfinputs/data/common/etc/ssh

function ssh_host_add () {

        local hostname=$1
        local server
        local tmp

        pushd $CFINPUTS_SSH; svn up ssh_known_hosts2
        if ! [ -r ssh_known_hosts2 ]
        then
                echo "ERROR: Unable to read ssh_known_hosts2" 1>&2
                return 1
        fi

        tmp=$(host -t A $hostname)
        if [ $? -ne 0 ]
        then
                echo "ERROR: Unable to resolve '$hostname'." 1>&2
                return 2
        fi

        server=$(echo "$hostname $tmp" | awk '{print $1","$2","$5}')
        if grep -q "$server" ssh_known_hosts2
        then
                echo "ERROR: Entry for '$server' already exists!" 1>&2
                return 3
        fi

        echo $server | ssh-keyscan -t rsa,dsa -f - >> ssh_known_hosts2

        svn ci -m "$hostname SSH key" ssh_known_hosts2
        popd

        # Rebuild ssh configuration.
        [ -f $HOME/.ssh/Makefile ] && make -C $HOME/.ssh
}

Then as servers are built, simply run ssh_host_add SERVER_NAME (NB: Don't specify the domain name)

Configuration file management

Create the file $HOME/.ssh/Makefile (be sure to use tabs instead of spaces) with the following contents: 

.PHONY: known_hosts_anchor
CFINPUTS=$(HOME)/work/svn/cfinputs
TARGETS=known_hosts config

all: $(TARGETS)

config: $(wildcard config_*) config.default
        -chmod 600 $@
        cat $^ > $@
        chmod 400 $@

known_hosts: known_hosts_anchor $(filter-out known_hosts_anchor, $(wildcard known_hosts_*))
        -chmod 600 $@
        cat $^ > $@
        chmod 400 $@

# Synchronise from subversion.
known_hosts_anchor:
        (cd $(CFINPUTS); svn up data/common/etc/ssh/ssh_known_hosts2)
        cp $(CFINPUTS)/data/common/etc/ssh/ssh_known_hosts2 $@

clean:
        rm -f $(TARGETS)

Inside your config.default place: 

### Restrictive defaults.
Host *
BatchMode no
CheckHostIP yes
Compression yes
CompressionLevel 9
ConnectionAttempts 1
FallBackToRsh no
ForwardAgent no
ForwardX11 no
GatewayPorts no
KeepAlive yes
PasswordAuthentication no
Protocol 2
RhostsAuthentication no
RhostsRSAAuthentication no
SkeyAuthentication no
StrictHostKeyChecking yes
UsePrivilegedPort no
UseRsh no
User root

See also Faster SSH Logins for some additional voodoo.

Place any manually managed known_hosts content in known_hosts_SUFFIX. This will now let you manage common ssh data between multiple machines easily with simple uses of rsync and make.

More articles : Web hosting support, dedicated server administration and useful hosting tools