I am trying to find a way in puppet to generate and distribute user''s
ssh
public keys (such as id_dsa.pub) and then ''install'' them into
the
appropriate authorized_keys file on another machine. This is what I
originally thought the sshkey type would do, but then I learned it only
manages the host key.
An example to better illustrated what I am talking about: I have a lot of
machines that need to have a large web tree installed on them as they are
a cluster of webservers. Because the tree is a significant number of
files, puppet chokes on trying to distribute them if I use the file type,
so instead the entire tree is contained in a subversion repository that I
would keep checked out on each of the webservers. I want the www-data
user on those machines to have a ssh public key generated, and then that
key ''installed'' in the appropriate user''s
.ssh/authorized_keys file on
the subversion server so that svn+ssh style subversion checkouts can
happen without passwords (yes, there are other ways of doing that, I
know).
I thought maybe something like the following could be done on one of the
clients:
exec {
"$hostname-id_dsa":
command => "ssh-keygen -t dsa -C ''www-data pubkey created by
puppet''
-N '''' -f /var/www/.ssh/id_dsa",
creates => [ "/var/www/.ssh/id_dsa.pub",
"/var/www/.ssh/.ssh/id_dsa" ],
require => [ User["www-data"], File["/var/www/.ssh"]
],
user => www-data,
}
file {
"/var/local/puppet/webmail_pubkeys":
ensure => directory,
owner => root, group => root, mode => 0755, checksum => mtime,
require => [ File["/var/local"],
File["/var/local/puppet"] ],
}
@@authorized_key {
"www@$fqdn":
target => "/home/webmail/.ssh/authorized_keys",
key => "/var/www/.ssh/id_dsa.pub",
}
Then on the subversion server itself, something like this would be run:
Authorized_key <<||>>
exec {
create_authorized_keys:
command => "/bin/sh -c ''/bin/cat
/var/local/puppet/webmail_pubkeys/* >> /home/riseup/.ssh/authorized_keys''",
subscribe => File["/var/local/puppet/webmail_pubkeys"],
}
I''m afraid that the response will come from Luke that will say that I
must create my own type, which requires some Ruby code and that its
really easy. I''m afraid of that because easy things like that
aren''t so
easy for me until I learn a whole lot more Ruby. If anyone else has
looked at this problem and has a solution, I would love to know it as
without this I am faced with re-architecting an environment to do things
another way.
Thanks,
micah
Micah, Why generate separate keys on each host? Why not generate one key, and distribute the key with puppet to all the machines? --Paul On Jan 24, 2008 1:32 PM, Micah Anderson <micah@riseup.net> wrote:> > I am trying to find a way in puppet to generate and distribute user''s ssh > public keys (such as id_dsa.pub) and then ''install'' them into the > appropriate authorized_keys file on another machine. This is what I > originally thought the sshkey type would do, but then I learned it only > manages the host key. > > An example to better illustrated what I am talking about: I have a lot of > machines that need to have a large web tree installed on them as they are > a cluster of webservers. Because the tree is a significant number of > files, puppet chokes on trying to distribute them if I use the file type, > so instead the entire tree is contained in a subversion repository that I > would keep checked out on each of the webservers. I want the www-data > user on those machines to have a ssh public key generated, and then that > key ''installed'' in the appropriate user''s .ssh/authorized_keys file on > the subversion server so that svn+ssh style subversion checkouts can > happen without passwords (yes, there are other ways of doing that, I > know). > > I thought maybe something like the following could be done on one of the > clients: > > exec { > "$hostname-id_dsa": > command => "ssh-keygen -t dsa -C ''www-data pubkey created by puppet'' > -N '''' -f /var/www/.ssh/id_dsa", > creates => [ "/var/www/.ssh/id_dsa.pub", "/var/www/.ssh/.ssh/id_dsa" ], > require => [ User["www-data"], File["/var/www/.ssh"] ], > user => www-data, > } > > file { > "/var/local/puppet/webmail_pubkeys": > ensure => directory, > owner => root, group => root, mode => 0755, checksum => mtime, > require => [ File["/var/local"], File["/var/local/puppet"] ], > } > > @@authorized_key { > "www@$fqdn": > target => "/home/webmail/.ssh/authorized_keys", > key => "/var/www/.ssh/id_dsa.pub", > } > > Then on the subversion server itself, something like this would be run: > > Authorized_key <<||>> > exec { > create_authorized_keys: > command => "/bin/sh -c ''/bin/cat /var/local/puppet/webmail_pubkeys/* > >> /home/riseup/.ssh/authorized_keys''", > subscribe => File["/var/local/puppet/webmail_pubkeys"], > } > > I''m afraid that the response will come from Luke that will say that I > must create my own type, which requires some Ruby code and that its > really easy. I''m afraid of that because easy things like that aren''t so > easy for me until I learn a whole lot more Ruby. If anyone else has > looked at this problem and has a solution, I would love to know it as > without this I am faced with re-architecting an environment to do things > another way. > > Thanks, > micah > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
On 1/24/2008 3:32 PM, Micah Anderson wrote:> I am trying to find a way in puppet to generate and distribute user''s > ssh public keys (such as id_dsa.pub) and then ''install'' them into the > appropriate authorized_keys file on another machine. This is what I > originally thought the sshkey type would do, but then I learned it > only manages the host key.I think http://reductivelabs.com/trac/puppet/wiki/Authorized_keysRecipe goes a long way toward what you need, but I''ve never used it myself. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University
What we''ve done is to create a tree on the Puppet server,
ssh/keys/${host}/${user}. Most of these are symlinks to
ssh/keys/all/${user}, but we can easily over-ride.
From there we have:
class sshkeys {
file{"/etc/ssh/keys":
ensure => directory,
recurse => true,
links => follow,
purge => true,
source => "puppet://puppet/dist/ssh/keys/$hostname"
}
}
And we also make sure that sshd_config on all hosts has:
AuthorizedKeysFile /etc/ssh/keys/%u
I''d like to take it further and instead define lists of keys to go into
user authorized_keys files but haven''t really had time.
There''s a
recipe on the wiki for doing something like this but if memory serves
you also need to have users managed by Puppet and that turns into a mess
on Solaris 10.
Matt
> -----Original Message-----
> From: puppet-users-bounces@madstop.com [mailto:puppet-users-
> bounces@madstop.com] On Behalf Of Micah Anderson
> Sent: Friday, 25 January 2008 8:33 AM
> To: puppet-users@madstop.com
> Subject: [Puppet-users] Managing user authorized_keys
>
>
> I am trying to find a way in puppet to generate and distribute
user''s
ssh> public keys (such as id_dsa.pub) and then ''install'' them
into the
> appropriate authorized_keys file on another machine. This is what I
> originally thought the sshkey type would do, but then I learned it
only> manages the host key.
>
> An example to better illustrated what I am talking about: I have a lot
of> machines that need to have a large web tree installed on them as they
are> a cluster of webservers. Because the tree is a significant number of
> files, puppet chokes on trying to distribute them if I use the file
type,> so instead the entire tree is contained in a subversion repository
that I> would keep checked out on each of the webservers. I want the www-data
> user on those machines to have a ssh public key generated, and then
that> key ''installed'' in the appropriate user''s
.ssh/authorized_keys file on
> the subversion server so that svn+ssh style subversion checkouts can
> happen without passwords (yes, there are other ways of doing that, I
> know).
>
> I thought maybe something like the following could be done on one of
the> clients:
>
> exec {
> "$hostname-id_dsa":
> command => "ssh-keygen -t dsa -C ''www-data pubkey
created by
puppet''> -N '''' -f /var/www/.ssh/id_dsa",
> creates => [ "/var/www/.ssh/id_dsa.pub",
"/var/www/.ssh/.ssh/id_dsa" ],> require => [ User["www-data"],
File["/var/www/.ssh"] ],
> user => www-data,
> }
>
> file {
> "/var/local/puppet/webmail_pubkeys":
> ensure => directory,
> owner => root, group => root, mode => 0755, checksum =>
mtime,
> require => [ File["/var/local"],
File["/var/local/puppet"] ],
> }
>
> @@authorized_key {
> "www@$fqdn":
> target => "/home/webmail/.ssh/authorized_keys",
> key => "/var/www/.ssh/id_dsa.pub",
> }
>
> Then on the subversion server itself, something like this would be
run:>
> Authorized_key <<||>>
> exec {
> create_authorized_keys:
> command => "/bin/sh -c ''/bin/cat
/var/local/puppet/webmail_pubkeys/*> >> /home/riseup/.ssh/authorized_keys''",
> subscribe => File["/var/local/puppet/webmail_pubkeys"],
> }
>
> I''m afraid that the response will come from Luke that will say
that I
> must create my own type, which requires some Ruby code and that its
> really easy. I''m afraid of that because easy things like that
aren''t
so> easy for me until I learn a whole lot more Ruby. If anyone else has
> looked at this problem and has a solution, I would love to know it as
> without this I am faced with re-architecting an environment to do
things> another way.
>
> Thanks,
> micah
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users