Puppet users - Mar 2009 - Help with moving ssh keys around

I''m very new at puppet, but I''ve almost managed to get to the
point
where my puppet server sets up all the basics of a new linux box for
me.  The last piece of the puzzle is backups.

The way I do backups is fairly simplistic.  I just use mysqldump and
tar to create local backup files and then scp them to a central host
once a day.  In order to set this up, I have to create a key on the
new linux server and then move that key to the central backup server.
the way I do this by hand looks like this:

# create the key
mkdir /etc/backups
chmod 500 /etc/backups
ssh-keygen -t rsa -f /etc/backups/$HOSTNAME -q -N ""

# copy the public key up to the server:
scp -i /etc/backups/$HOSTNAME /etc/backups/$HOSTNAME.pub
user@backup.example.com:/c/vshell/publickey/user

The directory looks strange because it''s a windows server running the
VShell sshd program.  That last line, when run the first time, does
two things that I''m having trouble scripting into puppet:

1) it adds the ssh fingerprint of the backup server to /root/.ssh/
knownhosts
2) it prompts me for the password for the "user" account on the backup
server, and then copies the public key for this new server up to the
backup server.

After I''ve answered both of these prompts once, I''m able to
run scp
sessions to the backup server without intervention.

Has this problem been solved elsewhere?  I''ve done some searching but
come up empty.  Is there a better way I should be doing it?

Thanks in advance.
Scott

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Scott Frazer wrote:
> # copy the public key up to the server:
> scp -i /etc/backups/$HOSTNAME /etc/backups/$HOSTNAME.pub
> user@backup.example.com:/c/vshell/publickey/user
> 
> The directory looks strange because it''s a windows server running
the
> VShell sshd program.  That last line, when run the first time, does
> two things that I''m having trouble scripting into puppet:
> 
> 1) it adds the ssh fingerprint of the backup server to /root/.ssh/
> knownhosts
Add the backup server''s public key to your puppet manifests with the 
sshkey type [1]. This will add the key to /etc/ssh/known_hosts and 
bypass that prompt entirely.
> 2) it prompts me for the password for the "user" account on the
backup
> server, and then copies the public key for this new server up to the
> backup server.
This one''s not as simple. One route would be to distribute a public key
into the Linux systems'' /root/.ssh/id_rsa/authorized_keys -- the
private
half would be on some privileged account on the backup server. Then, the 
Windows system could scp the Linux systems'' backup keys to the right 
location. However, the Windows system may prompt for new ssh host keys, 
or warn if they change.

Another route toward full automation would require collecting up all the 
Linux systems'' key files and putting them in private folders, one per 
system. I use /etc/puppet/private/{fqdn}, and have a mount in 
fileserver.conf of

   [private]
     path /etc/puppet/private/%H

and reference files there as "puppet:///private/ssh_host_dsa_key". 
Something like

   file { ssh_host_dsa_key:
     path => $operatingsystem ? {
       default => "/etc/ssh/ssh_host_dsa_key"
     },
     owner => root, group => root, mode => 600,
     source => "puppet:///private/ssh_host_dsa_key";
   }

but using your /etc/backups key files instead of the system-level ones.

[1] http://reductivelabs.com/trac/puppet/wiki/TypeReference#sshkey

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---