confluent/confluent_osdeploy/common/profile/scripts/setupssh

[ -f /lib/confluent/functions ] && . /lib/confluent/functions
[ -f /etc/confluent/functions ] && . /etc/confluent/functions
[ -f /opt/confluent/bin/apiclient ] && confapiclient=/opt/confluent/bin/apiclient
[ -f /etc/confluent/apiclient ] && confapiclient=/etc/confluent/apiclient
for pubkey in /etc/ssh/ssh_host*key.pub; do
    if [ "$pubkey" = /etc/ssh/ssh_host_key.pub ]; then
        continue
    fi
    certfile=${pubkey/.pub/-cert.pub}
    confluentpython $confapiclient /confluent-api/self/sshcert $pubkey -o $certfile
done
if [ -d /etc/ssh/sshd_config.d/ -a ! -e /etc/ssh/sshd_config.d/90-confluent.conf ]; then
	for cert in /etc/ssh/ssh*-cert.pub; do
		echo HostCertificate $cert >> /etc/ssh/sshd_config.d/90-confluent.conf
	done
	echo HostbasedAuthentication yes >> /etc/ssh/sshd_config.d/90-confluent.conf
	echo HostbasedUsesNameFromPacketOnly yes >> /etc/ssh/sshd_config.d/90-confluent.conf
	echo IgnoreRhosts no >> /etc/ssh/sshd_config.d/90-confluent.conf
elif [ ! -d /etc/ssh/sshd_config.d/ ] && ! grep HostCertificate /etc/ssh/sshd_config > /dev/null; then
	for cert in /etc/ssh/ssh*-cert.pub; do
		echo HostCertificate $cert >> /etc/ssh/sshd_config
	done
	echo HostbasedAuthentication yes >> /etc/ssh/sshd_config
	echo HostbasedUsesNameFromPacketOnly yes >> /etc/ssh/sshd_config
	echo IgnoreRhosts no >> /etc/ssh/sshd_config
fi

TMPDIR=$(mktemp -d)
cd $TMPDIR
confluentpython $confapiclient /confluent-public/site/initramfs.tgz -o initramfs.tgz
tar xf initramfs.tgz
for ca in ssh/*.ca; do
	LINE=$(cat $ca)
	if [ -z "$LINE" ]; then continue; fi
	if [ -f /etc/ssh/ssh_known_hosts ]; then
		cp -af /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts.new
		grep -v "$LINE" /etc/ssh/ssh_known_hosts > /etc/ssh/ssh_known_hosts.new
	fi
	echo '@cert-authority *' $LINE >> /etc/ssh/ssh_known_hosts.new
	mv /etc/ssh/ssh_known_hosts.new /etc/ssh/ssh_known_hosts
done
mkdir -p /root/.ssh/
chmod 700 /root/.ssh/
touch /root/.ssh/authorized_keys
for pubkey in ssh/*.*pubkey; do
	LINE=$(cat $pubkey)
        if [ -z "$LINE" ]; then continue; fi
	cp -af /root/.ssh/authorized_keys /root/.ssh/authorized_keys.new
	grep -v "$LINE" /root/.ssh/authorized_keys > /root/.ssh/authorized_keys.new
	echo "$LINE" >> /root/.ssh/authorized_keys.new
	mv /root/.ssh/authorized_keys.new /root/.ssh/authorized_keys
done
confluentpython $confapiclient /confluent-api/self/nodelist | sed -e 's/^- //' > /etc/ssh/shosts.equiv
cat /etc/ssh/shosts.equiv > /root/.shosts
cd -
rm -rf $TMPDIR
systemctl try-restart sshd