-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I''ve created an ssh_keys class that just makes sure that all my
Puppet managed hosts get the same set of hosts keys using the
"sshkey" type. I also am starting to play with OSSEC HIDS which is
a host based intrusion detection system. OSSEC HIDS has been
letting me know that the MD5 and SHA1 hashes of
/etc/ssh/ssh_known_hosts has been changing regularly as Puppet runs.
Now, I''ve not added or changed anything with my ssh keys so I would
expect either:
a) it sees that the keys haven''t changed and thus doesn''t
regenerate the /etc/ssh/ssh_known_hosts file
b) it always regenerates the file, but generates it exactly the
same every time so the MD5 and SHA1 sums are the same.
In actual operation Puppet puts a timestamp in the header of the
file and it generates a new file even if none of the keys have
actually changed. I would just wonder if I am alone in thinking
that the file really should not change if its actual contents aren''t
changing?
Obviously I can teach OSSEC HIDS to ignore ssh_host_keys as it is
already managed by Puppet, but for whatever reason that doesn''t seem
like the "right" solution to me. Maybe it is...
- --
Paul Ortman
PGP Key: 55602C81
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFR/ZDfw8KGlVgLIERAtfVAKCGZZfFoADRmCVqw/YBFj3r1lwAtwCfXkHW
CaaVBERC+Zvp7LBY4r2Dk+g=Xbl8
-----END PGP SIGNATURE-----