SSH Host Key Retrieval and Verification

When Altus Director logs into an instance through SSH, by default it does not perform host key verification against the remote host. For added security and to prevent man-in-the middle attacks, host key verification can be enabled by setting the host key fingerprint retrieval type.

The sshHostKeyRetrievalType can be set in the conf file to specify the desired host key fingerprint retrieval type. The allowable values are: NONE, PROVIDER, INSTANCE, and FALLBACK.

NONE

Altus Director will not attempt to retrieve the host key fingerprints for the instances, and host key verification is not performed. This is the default behaviour.

PROVIDER

Altus Director will attempt to retrieve the host key fingerprints for each instance from the cloud provider. This is currently only supported for AWS. This is done in AWS by using the API to read the console output for the instance, which usually displays the host key fingerprints associated with the instance. See Getting Console Output and Rebooting Instances in the AWS documentation for more information on reading the console output. Since Altus Director has to wait for the console output to appear, this will increase bootstrap time by around three to five minutes.

Note that not all AMIs display the host key fingerprints for the instance in the console output. Before enabling this, ensure that the AMI displays a section that looks like the following in the console output:
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 6d:99:6d:f1:d5:42:42:68:f1:5b:40:e9:ff:30:82:38 /etc/ssh/ssh_host_dsa_key.pub (DSA)
ec2: 2048 2d:e1:d3:48:06:0d:32:32:1b:14:3a:87:49:18:ca:2a /etc/ssh/ssh_host_key.pub (RSA1)
ec2: 2048 7f:1b:3b:51:42:2e:4e:be:9f:f1:77:15:a6:33:62:c7 /etc/ssh/ssh_host_rsa_key.pub (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----

INSTANCE

On the first SSH connection into the instance, Altus Director will retrieve and store the host key fingerprints by reading the host key files in /etc/ssh. Future SSH connections will be verified using the stored fingerprints. This method is less secure than the PROVIDER method, since the very first SSH connection isn’t verified.

FALLBACK

This approach is a combination of PROVIDER and INSTANCE. Altus Director will first attempt to retrieve the host key fingerprints from the cloud provider (using PROVIDER method). If that fails or is not supported, it will attempt to retrieve the fingerprints through the instance on the first SSH connection (INSTANCE method).