Menu
When I build a new server, I collect the ssh key fingerprints from the console before my initial connections over the network using ssh. I'd like to be able to get the same out-of-band assurance when using salt.
With salt, when a new minion starts up it generates an RSA key and submits a request to the salt-master. I can use salt-key -p <newminion> to see the entire key and compare that with the minion's /etc/salt/pki/minion/minion.pub, but I'd rather use the shorter fingerprint that salt-key -f <newminion> displays.
How can I get the minion to display its own key fingerprint? The minion doesn't have the salt-key command ...
257
To change the state of a minion key, use -d to delete the key and then accept or reject the key.
Once you verify that those values are the same, you can accept the key by typing: sudo salt-key -a saltmaster.
Configures how often, in seconds, the minion will verify that the current master is alive and responding. The minion will try to establish a connection to the next master in the list if it finds the existing one is dead.
Run salt-call in local mode on the minion asking for key.finger:
salt-call --local key.finger
If your salt is old or you otherwise don't have key.finger, you can use cat, grep and md5sum as noted in issue 3706:
cat /etc/salt/pki/minion/minion.pub | grep -v -e BEGIN -e END | md5sum
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
