Hello all, How are you using the sshkey type? Are you using it to list hosts and keys in a class that nodes include in order to manage /etc/ssh/ssh_known_hosts or something else? How does any of this relate to the sshrsakey and sshdsakey facts on the host? I read some stuff about this on the Virtual Resources page but it''s too vague for my simple mind and I''d be reluctant to use experimental code anyway. All the best, Adam Kosmin _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Apr 4, 2007, at 1:03 PM, Kosmin, Adam wrote:> > Hello all, > > How are you using the sshkey type? Are you using it to list hosts > and keys in a class that nodes include in order to manage /etc/ssh/ > ssh_known_hosts or something else? How does any of this relate to > the sshrsakey and sshdsakey facts on the host? I read some stuff > about this on the Virtual Resources page but it''s too vague for my > simple mind and I''d be reluctant to use experimental code anyway. >I don''t have any evidence that people are actually using the sshkey type (speak up if you are), but it was written to manage the known_hosts file. It relates to the ssh key facts in that you can use those facts to create sshkey resources, and then export those resources, and then collect all ssh keys, so that every host has every other host''s key in the known hosts file. -- A great many people think they are thinking when they are merely rearranging their prejudices. -- William James --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
> > How are you using the sshkey type? Are you using it to list hostsand> > keys in a class that nodes include in order to manage /etc/ssh/ > > ssh_known_hosts or something else? How does any of this relate tothe> > sshrsakey and sshdsakey facts on the host? I read some stuff about > > this on the Virtual Resources page but it''s too vague for my simple > > mind and I''d be reluctant to use experimental code anyway. > > > I don''t have any evidence that people are actually using the > sshkey type (speak up if you are), but it was written to > manage the known_hosts file. It relates to the ssh key facts > in that you can use those facts to create sshkey resources, > and then export those resources, and then collect all ssh > keys, so that every host has every other host''s key in the > known hosts file.I''m testing Puppet on roughly twenty servers and am using the sshkey type to populate the ssh_known_hosts file. At this stage it''s more to get an idea of Puppet''s reliability and for me to get experience with Puppet''s types than being something essential that I''d implement in a wider roll-out. Clearly an automated way (whether inside Puppet or scripted using ssh-keyscan) of gathering the keys would be required if this was to be the case. James ********************************************************************************* Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of AXA-Tech Australia. Thank you. **********************************************************************************
On Thursday 05 April 2007 06:26, HARRIS Jimmy (AXA-Tech-AU) wrote:> > > How are you using the sshkey type? Are you using it to list hosts and > > > keys in a class that nodes include in order to manage /etc/ssh/ > > > ssh_known_hosts or something else? How does any of this relate to the > > > sshrsakey and sshdsakey facts on the host? I read some stuff about > > > this on the Virtual Resources page but it''s too vague for my simple > > > mind and I''d be reluctant to use experimental code anyway. > > > > I don''t have any evidence that people are actually using the > > sshkey type (speak up if you are), but it was written to > > manage the known_hosts file. It relates to the ssh key facts > > in that you can use those facts to create sshkey resources, > > and then export those resources, and then collect all ssh > > keys, so that every host has every other host''s key in the > > known hosts file. > > I''m testing Puppet on roughly twenty servers and am using the sshkey > type to populate the ssh_known_hosts file. > > At this stage it''s more to get an idea of Puppet''s reliability and for > me to get experience with Puppet''s types than being something essential > that I''d implement in a wider roll-out. Clearly an automated way > (whether inside Puppet or scripted using ssh-keyscan) of gathering the > keys would be required if this was to be the case.Here is the outline of my ssh.pp: class ssh_base { file { "/etc/ssh": ensure => directory, mode => 0755 } } class ssh_client inherits ssh_base { # Now collect everyone else''s keys Sshkey <<||>> package{ "openssh-client": ensure => installed, before => File["/etc/ssh"] } } class ssh_server inherits ssh_base { # every server is a client too include ssh_client package{ "openssh-server": ensure => installed } service { ssh: ensure => running, pattern => "sshd", require => Package["openssh-server"], } # Now add the key, if we''ve got one case $sshrsakey_key { "": { err("no sshrsakey on $fqdn") } default: { debug ( "Storing rsa key for $hostname.$domain" ) @@sshkey { "$hostname.$domain": type => ssh-rsa, key => $sshrsakey_key, ensure => present } } } $real_ssh_port = $ssh_port ? { '''' => 22, default => $ssh_port } sshd_config{ "Port": ensure => $real_ssh_port } nagios2::service{ "ssh_port": check_command => "ssh_port!$real_ssh_port" } } $sshrsakey_key and friends are custom facter facts produced by the attached sshkeys.rb, which goes to $rubysitedir/facter/ You have to enable storeconfigs with all its current drawbacks to use the Export/Collect. Regards, David -- - hallo... wie gehts heute? - *hust* gut *rotz* *keuch* - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Very interesting. Thank you. If you don''t mind, I''ll publish this on the wiki once I develop a better understanding of its workings. Best, Adam>>>>>>>>>>>>>>>>>>>>>Here is the outline of my ssh.pp: class ssh_base { file { "/etc/ssh": ensure => directory, mode => 0755 } } class ssh_client inherits ssh_base { # Now collect everyone else''s keys Sshkey <<||>> package{ "openssh-client": ensure => installed, before => File["/etc/ssh"] } } class ssh_server inherits ssh_base { # every server is a client too include ssh_client package{ "openssh-server": ensure => installed } service { ssh: ensure => running, pattern => "sshd", require => Package["openssh-server"], } # Now add the key, if we''ve got one case $sshrsakey_key { "": { err("no sshrsakey on $fqdn") } default: { debug ( "Storing rsa key for $hostname.$domain" ) @@sshkey { "$hostname.$domain": type => ssh-rsa, key => $sshrsakey_key, ensure => present } } } $real_ssh_port = $ssh_port ? { '''' => 22, default => $ssh_port } sshd_config{ "Port": ensure => $real_ssh_port } nagios2::service{ "ssh_port": check_command => "ssh_port!$real_ssh_port" } } $sshrsakey_key and friends are custom facter facts produced by the attached sshkeys.rb, which goes to $rubysitedir/facter/ You have to enable storeconfigs with all its current drawbacks to use the Export/Collect. Regards, David -- - hallo... wie gehts heute? - *hust* gut *rotz* *keuch* - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 05 April 2007 20:15, Kosmin, Adam wrote:> Very interesting. Thank you. If you don't mind, I'll publish this on the > wiki once I develop a better understanding of its workings.Please do! This should probably packed into a module now that they are available. The port and nagios2 stuff at the end is coming from other parts of my config and are probably not immediately useful for the public, I added them just to show off a bit what is possible ;) Regards, David> > Best, > Adam > > > Here is the outline of my ssh.pp: > > class ssh_base { > file { "/etc/ssh": > ensure => directory, > mode => 0755 > } > } > > class ssh_client inherits ssh_base { > # Now collect everyone else's keys > Sshkey <<||>> > > package{ "openssh-client": ensure => installed, before => > File["/etc/ssh"] } > } > > class ssh_server inherits ssh_base { > > # every server is a client too > include ssh_client > > package{ "openssh-server": ensure => installed } > > service { ssh: > ensure => running, > pattern => "sshd", > require => Package["openssh-server"], > } > > # Now add the key, if we've got one > case $sshrsakey_key { > "": { > err("no sshrsakey on $fqdn") > } > default: { > debug ( "Storing rsa key for $hostname.$domain" ) > @@sshkey { "$hostname.$domain": type => ssh-rsa, key => > $sshrsakey_key, ensure => present } > } > } > > $real_ssh_port = $ssh_port ? { '' => 22, default => $ssh_port } > > sshd_config{ "Port": ensure => $real_ssh_port } > > nagios2::service{ "ssh_port": check_command => "ssh_port!$real_ssh_port" > } > > } > > $sshrsakey_key and friends are custom facter facts produced by the attached > sshkeys.rb, which goes to $rubysitedir/facter/ > > You have to enable storeconfigs with all its current drawbacks to use the > Export/Collect. > > > Regards, David- -- - - hallo... wie gehts heute? - - *hust* gut *rotz* *keuch* - - gott sei dank kommunizieren wir über ein septisches medium ;) -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGFhjV/Pp1N6Uzh0URAivkAJsGvu5CTX++PBGZBF6rBv+gkrKLpgCggyrB 8HYCceRX1SM2suICM5deYwI=IpOm -----END PGP SIGNATURE----- _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users