Advanced SSH management

You too can be an SSH guru through the following tips.

SSH public host key management

Simply add the following to your shell startup files (~/.zshrc, or ~/.bashrc) in your web hosting user account.

CFINPUTS_SSH=$HOME/work/svn/cfinputs/data/common/etc/ssh

function ssh_host_add () {

        local hostname=$1
        local server
        local tmp

        pushd $CFINPUTS_SSH; svn up ssh_known_hosts2
        if ! [ -r ssh_known_hosts2 ]
        then
                echo "ERROR: Unable to read ssh_known_hosts2" 1>&2
                return 1
        fi

        tmp=$(host -t A $hostname)
        if [ $? -ne 0 ]
        then
                echo "ERROR: Unable to resolve '$hostname'." 1>&2
                return 2
        fi

        server=$(echo "$hostname $tmp" | awk '{print $1","$2","$5}')
        if grep -q "$server" ssh_known_hosts2
        then
                echo "ERROR: Entry for '$server' already exists!" 1>&2
                return 3
        fi

        echo $server | ssh-keyscan -t rsa,dsa -f - >> ssh_known_hosts2

        svn ci -m "$hostname SSH key" ssh_known_hosts2
        popd

        # Rebuild ssh configuration.
        [ -f $HOME/.ssh/Makefile ] && make -C $HOME/.ssh
}

Then as servers are built, simply run ssh_host_add SERVER_NAME (NB: Don't specify the domain name)

Configuration file management

Create the file $HOME/.ssh/Makefile (be sure to use tabs instead of spaces) with the following contents:

.PHONY: known_hosts_anchor
CFINPUTS=$(HOME)/work/svn/cfinputs
TARGETS=known_hosts config

all: $(TARGETS)

config: $(wildcard config_*) config.default
        -chmod 600 $@
        cat $^ > $@
        chmod 400 $@

known_hosts: known_hosts_anchor $(filter-out known_hosts_anchor, $(wildcard known_hosts_*))
        -chmod 600 $@
        cat $^ > $@
        chmod 400 $@

# Synchronise from subversion.
known_hosts_anchor:
        (cd $(CFINPUTS); svn up data/common/etc/ssh/ssh_known_hosts2)
        cp $(CFINPUTS)/data/common/etc/ssh/ssh_known_hosts2 $@

clean:
        rm -f $(TARGETS)

Inside your config.default place:

### Restrictive defaults.
Host *
BatchMode no
CheckHostIP yes
Compression yes
CompressionLevel 9
ConnectionAttempts 1
FallBackToRsh no
ForwardAgent no
ForwardX11 no
GatewayPorts no
KeepAlive yes
PasswordAuthentication no
Protocol 2
RhostsAuthentication no
RhostsRSAAuthentication no
SkeyAuthentication no
StrictHostKeyChecking yes
UsePrivilegedPort no
UseRsh no
User root

See also Faster SSH Logins for some additional voodoo.

Place any manually managed known_hosts content in known_hosts_SUFFIX. This will now let you manage common ssh data between multiple machines easily with simple uses of rsync and make.