SSH Host Key Retrieval and Verification
When Altus Director logs into an instance through SSH, by default it does not perform host key verification against the remote host. For added security and to prevent man-in-the middle attacks, host key verification can be enabled by setting the host key fingerprint retrieval type.
The sshHostKeyRetrievalType can be set in the conf file to specify the desired host key fingerprint retrieval type. The allowable values are: NONE, PROVIDER, INSTANCE, and FALLBACK.
Altus Director will not attempt to retrieve the host key fingerprints for the instances, and host key verification is not performed. This is the default behaviour.
Altus Director will attempt to retrieve the host key fingerprints for each instance from the cloud provider. This is currently only supported for AWS. This is done in AWS by using the API to read the console output for the instance, which usually displays the host key fingerprints associated with the instance. See Getting Console Output and Rebooting Instances in the AWS documentation for more information on reading the console output. Since Altus Director has to wait for the console output to appear, this will increase bootstrap time by around three to five minutes.
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- ec2: 1024 6d:99:6d:f1:d5:42:42:68:f1:5b:40:e9:ff:30:82:38 /etc/ssh/ssh_host_dsa_key.pub (DSA) ec2: 2048 2d:e1:d3:48:06:0d:32:32:1b:14:3a:87:49:18:ca:2a /etc/ssh/ssh_host_key.pub (RSA1) ec2: 2048 7f:1b:3b:51:42:2e:4e:be:9f:f1:77:15:a6:33:62:c7 /etc/ssh/ssh_host_rsa_key.pub (RSA) ec2: -----END SSH HOST KEY FINGERPRINTS-----
On the first SSH connection into the instance, Altus Director will retrieve and store the host key fingerprints by reading the host key files in /etc/ssh. Future SSH connections will be verified using the stored fingerprints. This method is less secure than the PROVIDER method, since the very first SSH connection isn’t verified.
This approach is a combination of PROVIDER and INSTANCE. Altus Director will first attempt to retrieve the host key fingerprints from the cloud provider (using PROVIDER method). If that fails or is not supported, it will attempt to retrieve the fingerprints through the instance on the first SSH connection (INSTANCE method).