class sshkeys {
file{"/etc/ssh/keys":
ensure =3D> directory,
recurse =3D> true,
links =3D> follow,
purge =3D> true,
source =3D>
"puppet://puppet/dist/ssh/keys/$hostname"
}
}
And we also make sure that sshd_config on all hosts has:
AuthorizedKeysFile /etc/ssh/keys/%u
I''d like to take it further and instead define lists of keys to go into
user authorized_keys files but haven''t really had time.
There''s a
recipe on the wiki for doing something like this but if memory serves
you also need to have users managed by Puppet and that turns into a mess
on Solaris 10.
Matt
> -----Original Message-----
> From: puppet-users-bounces at madstop.com [mailto:puppet-users-
> bounces at madstop.com] On Behalf Of Micah Anderson
> Sent: Friday, 25 January 2008 8:33 AM
> To: puppet-users at madstop.com
> Subject: [Puppet-users] Managing user authorized_keys
>=20
>=20
> I am trying to find a way in puppet to generate and distribute
user''s
ssh> public keys (such as id_dsa.pub) and then ''install'' them
into the
> appropriate authorized_keys file on another machine. This is what I
> originally thought the sshkey type would do, but then I learned it
only> manages the host key.
>=20
> An example to better illustrated what I am talking about: I have a lot
of> machines that need to have a large web tree installed on them as they
are> a cluster of webservers. Because the tree is a significant number of
> files, puppet chokes on trying to distribute them if I use the file
type,> so instead the entire tree is contained in a subversion repository
that I> would keep checked out on each of the webservers. I want the www-data
> user on those machines to have a ssh public key generated, and then
that> key ''installed'' in the appropriate user''s
.ssh/authorized_keys file on
> the subversion server so that svn+ssh style subversion checkouts can
> happen without passwords (yes, there are other ways of doing that, I
> know).
>=20
> I thought maybe something like the following could be done on one of
the> clients:
>=20
> exec {
> "$hostname-id_dsa":
> command =3D> "ssh-keygen -t dsa -C ''www-data pubkey
created by
puppet''> -N '''' -f /var/www/.ssh/id_dsa",
> creates =3D> [ "/var/www/.ssh/id_dsa.pub",
"/var/www/.ssh/.ssh/id_dsa" ],> require =3D> [ User["www-data"],
File["/var/www/.ssh"] ],
> user =3D> www-data,
> }
>=20
> file {
> "/var/local/puppet/webmail_pubkeys":
> ensure =3D> directory,
> owner =3D> root, group =3D> root, mode =3D> 0755, checksum
=3D> mtime,
> require =3D> [ File["/var/local"],
File["/var/local/puppet"] ],
> }
>=20
> @@authorized_key {
> "www@$fqdn":
> target =3D> "/home/webmail/.ssh/authorized_keys",
> key =3D> "/var/www/.ssh/id_dsa.pub",
> }
>=20
> Then on the subversion server itself, something like this would be
run:>=20
> Authorized_key <<||>>
> exec {
> create_authorized_keys:
> command =3D> "/bin/sh -c ''/bin/cat
/var/local/puppet/webmail_pubkeys/*> >> /home/riseup/.ssh/authorized_keys''",
> subscribe =3D> File["/var/local/puppet/webmail_pubkeys"],
> }
>=20
> I''m afraid that the response will come from Luke that will say
that I
> must create my own type, which requires some Ruby code and that its
> really easy. I''m afraid of that because easy things like that
aren''t
so> easy for me until I learn a whole lot more Ruby. If anyone else has
> looked at this problem and has a solution, I would love to know it as
> without this I am faced with re-architecting an environment to do
things> another way.
>=20
> Thanks,
> micah
>=20
> _______________________________________________
> Puppet-users mailing list
> Puppet-users at madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users