DigitalOcean home
  • Droplets
  • Spaces
  • Kubernetes
  • Tools & Integrations
  • One-click Apps
  • API Documentation
  • Community
  • Tutorials
  • Q&A
  • Projects
  • Meetups
  • Customers
  • Pricing
  • Docs
  • Support
  • DigitalOcean home
  • Products
    • Droplets

      Scalable compute services.

    • Spaces

      Simple object storage.

    • Kubernetes

      Run managed Kubernetes clusters.

    • Tools & Integrations

      Automate your infrastructure.

    • One-click Apps

      Deploy pre-built applications.

    • API Documentation
  • Customers
  • Community
    • Community Overview

      Connect, share and learn

    • Tutorials

      DevOps and development guides

    • Questions & Answers

      Development and systems Q&A

    • Projects

      Community-built integrations

    Get Involved
    Write for DOnations
    Join us at a Meetup
    Featured Post
    An Introduction to Kubernetes

    by Justin Ellingwood

  • Pricing
  • Docs
  • Support
    • Documentation

    • Contact Support

    • Network Status

  • Home /
  • DO-I-1093 /
  • New idea
46 Vote

Return the droplet's SSH public key as part of API droplet creation / query

Since I want to provision servers I want to be able to trust that I'm not getting MITM'ed. While I know I can trust the DigitalOcean response (because of HTTPS / certs) I don't know that I can trust the (generated) public key of my new droplet. By including the public key into the droplet response this can be avoided. Before connecting to a droplet for the first time I could query the API for the droplet's public key, then programatically add it to my HOSTS file, closing the trust loop.

  • Zach Aysan
  • Sep 11 2018
  • Needs review
Developer API
  • Comments (4)
  • Votes (46)
  • Attach files
  • Zach Aysan commented
    11 Sep, 2018 04:43pm

    I suppose that a work around could be to use this: https://www.digitalocean.com/company/blog/easily-automate-the-provisioning-of-your-droplets/ and a key registry of some kind or even just run a script to replace the generated keys with ones generated by the provisioning server.

    ×

    Attachments Open full size

  • Zach Aysan commented
    11 Sep, 2018 04:43pm

    Because debugging is hard when you have slightly messed up a cloud-init script, I elected to inject the key with the following cloud-init script:

    ```
    { "runcmd" => ["rm /etc/ssh/etc/ssh/ssh_host_ecdsa*",
    "echo #{private_key} > /tmp/base64_pri && base64 --decode /tmp/base64_pri > /etc/ssh/ssh_host_ecdsa_key",
    "echo #{public_key} > /tmp/base64_pub && base64 --decode /tmp/base64_pub > /etc/ssh/ssh_host_ecdsa_key.pub",
    "chmod 600 /etc/ssh/ssh_host_ecdsa_key",
    "chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub",
    "sleep 1 && service ssh restart"
    ] }
    ```

    ×

    Attachments Open full size

  • Hilton De Meillon commented
    11 Sep, 2018 04:43pm

    I have been asking for this for years now....such a supposedly easy thing to do with profound security implications if not done! Every time I start a droplet I have to :

    1) log into console and check ssh key
    2) accept the key in my local terminal

    Such a wasted opportunity for DO!

    ×

    Attachments Open full size

  • allonhadaya commented
    11 Sep, 2018 04:43pm

    It would be nice if the public host key was also displayed on the website (maybe on the droplet access page)... This would help serve users who create droplets through the website with the same improvement in establishing trust.

    As a temporary hack, this can be already be done: open a terminal session on the web console, and print the public host key fp. This happens over HTTPS.

    ×

    Attachments Open full size

Log in / Sign up

Identify yourself with your email address

Subscribe

You won't be notified about changes to this idea.

Related ideas

DigitalOcean home

© 2018 DigitalOcean, LLC. All rights reserved.
Proudly made in NY

  • Twitter
  • Facebook
  • Instagram
  • YouTube
  • LinkedIn
  • Glassdoor
Company
About
Leadership
Blog
Careers
Partner Network
Referral Program
Events
Press
Legal & Security
Products
Droplets
Spaces
Kubernetes
Tools & Integrations
One-click Apps
API
Pricing
Documentation
Release Notes
Community
Tutorials
Meetups
Q&A
Write for DOnations
Droplets for Demos
Hatch
Shop Swag
Research Program
Currents Research
Open Source
Support
Contact Support
FAQ
Network Status