On 15/02/13 23:31, Jordon Bedwell wrote:
On 02/15/2013 06:46 AM, Timo Weingärtner wrote:Dear OpenSSH maintainers, I am packaging openssh-known-hosts for Debian with Philipp Kern (Cc:'ed) as my mentor. It is designed for institutions with many hosts and central host key management. It can download known_hosts files, verify their integrity, filter hostnames and merge everything into one file. That file is /var/lib/openssh-known-hosts/ssh_known_hosts. To lower configuration work for the admin my package's postinst script[1] creates a symlink /etc/ssh/ssh_known_hosts to it if there is nothing in that place already, else it emits a warning. Do you think it is OK to put that symlink into /etc/ssh/? What do you recommend for the case that /etc/ssh/ssh_known_hosts is already there?I would personally prefer the extra work.
If you need to deploy one known hosts file, there will be folks that need to deploy lots. This is something that I have done for other packages and certainly something I could use to speed up deployment of new servers.
How about setting it up in the same way other things in /etc/ do; /etc/ssh/ssh_known_hosts.d/Or a similar name. Where the files in that directory could be provided per 'organisation' or otherwise by package, etc.
This will require changes to openssh to look for the files in the right place. However it will allow for a whole lot more flexible deployment options and remote package automation options down the track than symlinking a single file outside of /etc/.
regards, Kim -- Kim Hawtin SysAdmim/Programmer, Online Media, MSC The University of Adelaide