ocfweb icon indicating copy to clipboard operation
ocfweb copied to clipboard

Published 20 hours ago verified publisher icon ocf

add ssh host key fingerprints to server listing

Open abizer opened this issue 6 years ago • 3 comments

we list tsunami's host key fingerprint at ocf.io/ssh but it would be useful to have the other machine's fingerprints listed somewhere publically as well so we can verify them externally if we get a key mismatch or something like that

abizer avatar Dec 29 '18 08:12 abizer

This should be pretty easy to do if we use puppetdb for the server list, since there's a bunch of SSH key fingerprint facts:

sshdsakey
sshecdsakey
sshed25519key
sshfp_dsa
sshfp_ecdsa
sshfp_ed25519
sshfp_rsa
sshrsakey

(we probably don't want the sshfp ones though since those are for usage in DNS and we don't currently use them)

jvperrin avatar Dec 29 '18 09:12 jvperrin

With #406, ocfweb will have its own Puppet cert which will make this even easier. Perhaps we should even list them on the servers page?

dkess avatar Dec 29 '18 17:12 dkess

I'm currently just hosting the actual known_hosts file we use at https://failure.ocf.berkeley.edu/ssh_known_hosts so that I can pull it into the known hosts file on my machine. We should consider making such a file available on www.o.b.e, possibly only including non-staff hosts (segfault, werewolves, tsunami, etc).

cg505 avatar Jan 16 '19 05:01 cg505