update-know-hosts: update script to use the keys available on config-master
Also bump the version to 1.3
Bug: T270359
Change-Id: I58aeb8dd5ff0356d01d8bd23fe4476fe1f870529
Signed-off-by: John Bond <github@johnbond.org>
diff --git a/scripts/wmf-update-known-hosts-production b/scripts/wmf-update-known-hosts-production
index 9447e26..864b15c 100755
--- a/scripts/wmf-update-known-hosts-production
+++ b/scripts/wmf-update-known-hosts-production
@@ -7,7 +7,7 @@
# - Populate a known_hosts file with all the production hosts and services
# in the Wikimedia Foundation production infrastructure for easy
# autocompletion while keeping StrictHostKeyChecking active:
-# - sync all the known hosts from a bastion
+# - sync all the known hosts from https://config-master.wikimedia.org/known_hosts.ecdsa
# - clean the hostname without FQDN in it
# - optionally generate known hosts for services defined as CNAMEs in the
# DNS repository, see PARAMS below. This allows for the autocompletion of
@@ -20,10 +20,6 @@
# UserKnownHostsFile parameter in your ~/.ssh/config in order for them to
# match. A warning will be shown if they don't match.
#
-# By default only the hosts from the choosen BASTION_HOST known_hosts file
-# will be imported, cleaning the hostname (not the FQDN) to ease the auto-
-# completion when ssh-ing.
-#
# PARAMS:
# It accept one positional argument that, if specified, must be the path to
# a local clone of the Operations DNS repository, (either from Gerrit or from
@@ -40,7 +36,7 @@
# Date: 2017-06-21
# Last update: 2019-11-05
# Dependencies: colordiff
-# Version: 1.2
+# Version: 1.3
# License: GPLv3+
##############################################################################
@@ -49,7 +45,7 @@
DNS_REPO_PATH="${1}"
KNOWN_HOSTS_PATH="${HOME}/.ssh/known_hosts.d"
KNOWN_HOST_FILE="${KNOWN_HOSTS_PATH}/wmf-prod"
-BASTION_HOST="bast3005.wikimedia.org"
+KNOWN_HOST_URL="https://config-master.wikimedia.org/known_hosts.ecdsa"
MAIN_DYNA_RECORD="dyna.wikimedia.org."
if [[ ! -d "${KNOWN_HOSTS_PATH}" ]]; then
@@ -62,7 +58,7 @@
echo "ERROR: DNS_REPO_PATH '${DNS_REPO_PATH}' is not a directory"
exit 2
fi
- if ! git -C "${DNS_REPO_PATH}" remote -v | egrep '(gerrit.wikimedia.org|github.com\/wikimedia)' | grep -cq 'operations[/-]dns'; then
+ if ! git -C "${DNS_REPO_PATH}" remote -v | grep -E '(gerrit.wikimedia.org|github.com\/wikimedia)' | grep -cq 'operations[/-]dns'; then
echo "ERROR: DNS_REPO_PATH '${DNS_REPO_PATH}' doesn't seems to be a checkout of the operations/dns repository"
exit 3
fi
@@ -83,7 +79,7 @@
return
fi
- sep="\."
+ sep="\\."
if [[ "${target: -1}" == '.' ]]; then
target="${target%?}"
sep=","
@@ -116,7 +112,7 @@
origin="${2}"
if [[ -n "${origin}" ]]; then
- boundaries="$(grep -n "\$ORIGIN" "${zone_file}" | grep -A 1 "\$ORIGIN ${origin}\.$")"
+ boundaries="$(grep -n "\$ORIGIN" "${zone_file}" | grep -A 1 "\$ORIGIN ${origin}\\.$")"
start=$(echo "${boundaries}" | head -n1 | cut -d':' -f1)
end=$(echo "${boundaries}" | tail -n1 | cut -d':' -f1)
domain="${origin}"
@@ -133,12 +129,8 @@
}
# Get new known hosts
-echo "===> SSHing to ${BASTION_HOST} (if a smartcard input is needed, check it now)"
-ssh "${BASTION_HOST}" 'cat /etc/ssh/ssh_known_hosts' > "${KNOWN_HOST_FILE}.new"
-
-# Remove the non-FQDN hostnames to avoid multiple autocompletions
-awk -F ',' '{ printf $1; for (i = 3; i <= NF; i++) printf FS$i; print NL }' "${KNOWN_HOST_FILE}.new" > "${KNOWN_HOST_FILE}.new.clean"
-mv -f "${KNOWN_HOST_FILE}.new.clean" "${KNOWN_HOST_FILE}.new"
+echo "===> Fetching from ${KNOWN_HOST_URL}"
+curl "${KNOWN_HOST_URL}" -o "${KNOWN_HOST_FILE}.new"
if [[ -n "${DNS_REPO_PATH}" ]]; then
extract_cnames_from_zone "${DNS_REPO_PATH}/templates/wikimedia.org"
@@ -164,7 +156,7 @@
mv -v "${KNOWN_HOST_FILE}.new" "${KNOWN_HOST_FILE}"
echo "New file generated at ${KNOWN_HOST_FILE}"
-if ! egrep -cq "UserKnownHostsFile .*/wmf-prod( |$)" "${HOME}/.ssh/config"; then
+if ! grep -Ecq "UserKnownHostsFile .*/wmf-prod( |$)" "${HOME}/.ssh/config"; then
echo "WARNING: You may need to add/update 'UserKnownHostsFile ${KNOWN_HOST_FILE}' to your ~/.ssh/config"
fi