A little trick for Salt key exchange

This is mostly a note to myself. Once in a long while I need to add a new computer as Salt minion. And I always forget how to verify the fingerprints of the key. I know the probability of somebody intercepting the handshake is low, but it is possible nevertheless.

On Salt master, you can list keys using the following command:

# salt-key -F
Local Keys:
master.pem:  5a:71:27:e4:7a:9a:8b:ae:d2:1f:3f:ac:a3:eb:9a:7b:b6:e3:ab:6b:d3:e1:d1:24:ee:df:f8:be:0e:db:a9:0c:63:6b:71:7a:f1:7a:d1:46:23:bc:ee:e7:ff:17:d1:4f:59:f1:ed:87:20:88:2d:1b:2b:72:3c:5a:52:39:47:9a
master.pub:  11:5b:f3:d3:80:3a:dc:59:93:54:a5:f7:d0:6e:ab:29:80:3c:7f:08:ed:59:92:29:c6:a2:4c:42:16:5c:7c:a8:22:52:08:d8:c9:e3:f8:a1:77:63:ec:93:e2:61:41:8c:f1:4e:a0:95:f2:48:78:06:ae:00:d3:f8:a0:7d:85:71
Accepted Keys:
oldhost:  b5:f7:74:94:da:6a:a1:b2:56:fe:b3:f3:8f:ca:ac:42:81:1b:d7:e0:46:44:80:6c:9e:00:fa:09:38:6f:51:50:3a:c8:61:63:b6:c4:a8:55:88:a4:ea:f8:99:08:12:ab:8c:48:f7:51:aa:f0:4b:00:ab:83:8b:99:bc:9e:d8:f6
Unaccepted Keys:
newhost:  d6:74:fa:aa:fc:be:88:25:39:d2:8e:53:f1:cb:6c:dd:a6:1c:a8:06:5f:66:dc:0b:91:27:f2:49:f3:4b:59:a9:d3:d1:ac:20:67:99:c2:97:4a:2d:38:26:48:42:a2:38:7d:b3:5f:81:4b:d0:5f:3e:ae:ac:0b:35:b9:0b:21:ac

On client, it is also easy:

# salt-call --local key.finger
local:
    45:1d:89:13:a7:69:b7:e4:bc:b3:e2:50:a3:18:1b:44:8e:28:a8:2c:fc:58:ce:a6:f2:50:94:75:d7:32:79:83

What I regularly run into is that I use sha512 on server, but the default on newly added minion is sha256. So it is not easy to compare hashes and I struggle to figure out how to change it. Especially as I don’t add/reinstall computers quite often, I have quite a static set of computer. The answer is really simple. Add another argument on client!

# salt-call --local key.finger sha512
local:
    d6:74:fa:aa:fc:be:88:25:39:d2:8e:53:f1:cb:6c:dd:a6:1c:a8:06:5f:66:dc:0b:91:27:f2:49:f3:4b:59:a9:d3:d1:ac:20:67:99:c2:97:4a:2d:38:26:48:42:a2:38:7d:b3:5f:81:4b:d0:5f:3e:ae:ac:0b:35:b9:0b:21:ac

And now it works. Hopefully next time I’ll remember that I wrote a note to myself about this on my blog :-)