Reword the last section

This commit is contained in:
Florian Obser 2023-01-15 09:07:17 +01:00
parent fc9cceaa91
commit c0ddd4f72b

View File

@ -102,22 +102,23 @@ On the installed machine I use said out of band access to run
#+begin_src shell
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub
#+end_src
This gives me one ssh host-key fingerprint and I can then login over
ssh.
This gives me one ssh host-key fingerprint and I can login over ssh.
I have to add IPv6 and legacy-IP addresses to DNS for the machine so I
also grab the SSHFP to add them at the same time:
I then run
#+begin_src shell
ls /etc/ssh/*.pub | xargs -n1 ssh-keygen -r $(hostname) -f
#+end_src
and copy & paste the result into my DNS zone file along side A and
AAAA records for legacy IP and IPv6. I use [[https://www.powerdns.com/][PowerDNS]] as a hidden DNSSEC
signer so I paste into the editor ~pdnsutil edit-zone~
provides.
While still logged in I install python3 and add an ssh-key for
While still logged in, I install python3 and add an ssh-key for
ansible. I then add the host to the ansible inventory. The ansible
orchestrator can now finish the installation of the host over ssh
while trusting the SSHFP it finds in DNS.
Ansible also hooks up the host to my monitoring system and the
monitoring system can connect to the new host over ssh, again trusting
that it talks to the correct host because of SSHFP in DNS.
The newly installed host knows that it's talking to my backup and
monitoring server using their published SSHFP records.