Keep SSH host keys (ex-Spacewalk users primarily....)

jkalchik · October 14, 2019, 4:16pm

Goal: Preserve SSH host keys when re-building a Linux host. Handy when you’re in a dev environment.

I’ve had both Spacewalk and RHSat5 running for years here, and one of the very useful snippets has been the keep_ssh_host_keys snippet. Unfortunately, taken as-is from Spacewalk, the installs would hang at the final close of the pre-install section of the kickstart.

The solution (found at https://fedoraproject.org/wiki/Anaconda/Kickstart/es#Chapter_4._Pre-installation_Script) was to make sure that the final while loop that would populate the new SSH directory needs to have stdin, stdout and stderr either closed or redirected from the main bash execution.

done < /dev/null > /tmp/keep_ssh_host_keys.txt 2>&1 &

This has allowed the pre install section to close, yet leave the while loop in the background to complete processing.

This certainly could be a useful technique for other purposes.

jkalchik · October 14, 2019, 4:40pm

I should point out that this also covers some heartburn cases with remote execution from the Foreman master to clients, especially those over SSH connections, after re-implementation. This will eliminate the need to remove the old SSH keys from foreman and foreman_proxy .ssh directories.

lzap · October 18, 2019, 11:29am

Hello,

thanks for heads up. Feel free to contribute the snippet to our community-templates repo. I assume the license is GNU GPL:

github.com

rsampaio/cobbler/blob/master/snippets/keep_ssh_host_keys

#raw
# Nifty trick to restore keys without using a nochroot %post

echo "Saving keys..." > /dev/ttyS0

SEARCHDIR=/etc/ssh
TEMPDIR=ssh
PATTERN=ssh_host_

keys_found=no
# /var could be a separate partition
SHORTDIR=${SEARCHDIR#/var}
if [ $SHORTDIR = $SEARCHDIR ]; then
	SHORTDIR=''
fi	
insmod /lib/jbd.o
insmod /lib/ext3.o

mkdir -p /tmp/$TEMPDIR

This file has been truncated. show original

jkalchik · October 18, 2019, 6:13pm

That’s the snippet, and it’s a 1 line change to make it work gracefully in Foreman/Katello. I trigger it here with a master snippet called by “Kickstart default custom pre”. (detecting a pattern here? )

I’ll look up the license and/or contact the original developer to see about submitting to this project.

lzap · October 21, 2019, 6:23am

Thanks. If the license is open-source (and it very likely is) then you don’t need to contact the author and just go ahead and create a PR at https://github.com/theforeman/community-templates

jkalchik · October 28, 2019, 4:20pm

While I agree that the license probably isn’t an issue, it’d be awfully nice to let him know that I’m submitting it to this project.