11

When I build a new server, I collect the ssh key fingerprints from the console before my initial connections over the network using ssh. I'd like to be able to get the same out-of-band assurance when using salt.

With salt, when a new minion starts up it generates an RSA key and submits a request to the salt-master. I can use salt-key -p <newminion> to see the entire key and compare that with the minion's /etc/salt/pki/minion/minion.pub, but I'd rather use the shorter fingerprint that salt-key -f <newminion> displays.

How can I get the minion to display its own key fingerprint? The minion doesn't have the salt-key command ...

Jim Cheetham
  • 453
  • 3
  • 8

1 Answers1

17

Run salt-call in local mode on the minion asking for key.finger:

salt-call --local key.finger

If your salt is old or you otherwise don't have key.finger, you can use cat, grep and md5sum as noted in issue 3706:

cat /etc/salt/pki/minion/minion.pub | grep -v -e BEGIN -e END | md5sum
Community
  • 1
  • 1
jla
  • 6,904
  • 2
  • 36
  • 34
  • The key.finger method is explained also in the [SaltStack Walk-through](http://docs.saltstack.com/en/latest/topics/tutorials/walkthrough.html) – marco.m Aug 03 '15 at 10:26