I''m writing a module for centralized creation, distribution, and
revocation
of ssh key pairs for users. It''s tentatively called ssh::authkey. It
aims
to be a complete solution for centrally managing users'' ssh keys.
The module is superficially similar to the Authorized keys recipe, but
unlike the recipe it will provide drop-in code, will only manage keys (not
user accounts), and will come with a fully documented interface and
examples of use. I''ve also made some different design choices and
removed
some requirements, compared to the recipe.
The module does fill a need. I started writing it because I wanted the
facility myself, and the existing tools didn''t provide it.
The documentation is about 75% done, and the code is about 50% done.
I''ve
excerpted some of the draft documentation below, to give an idea of what
the module will do, and why we need another ssh-related module.
Comments on this proposal are welcome.
Question: Can I be allowed to create a new page on the wiki to host the
module and documentation? I tried to do this by e.g. going to
http://reductivelabs.com/trac/puppet/wiki/SshAuthKey , but all I get is
"Page SshAuthKey not found". It seems that I don''t have the
rights to
create a page.
Thanks,
Andrew.
Documentation excerpt (draft):
===========ssh::authkey
===========
Description
-----------
ssh\::authkey provides centralized creation, distribution, and revocation
of ssh key pairs for users. There are three types of hosts involved:
========= ===============================================Role Description
========= ===============================================keymaster the host
that creates and distributes ssh keys.
server a host running an ssh server.
client a host with users who want to log in to servers.
========= ===============================================
One host may fulfill multiple roles. At present though, the keymaster has
to be located on the same host as the puppetmaster, since all files are
read on the puppetmaster.
Features
--------
* Each user may have one or more ssh key pairs, centrally created on the
keymaster and distributed to servers and clients.
* Each key pair may be installed onto any set of clients, and enabled for
authentication on any set of servers.
* Keys may have login options set as in authorized_keys(5), e.g. to disable
shell access or force certain commands to run.
* Keys may be enabled for authenticating as other users.
* Keys can be uninstalled or revoked, either manually or automatically at
given intervals, and new ones automatically created and distributed.
Future features:
* ssh\::authkey::server and ssh\::authkey::client accept just
''*'' as an
argument, to distribute all available keys.
Basic Usage
-----------
To create and distribute a key pair for user alice::
include ssh::authkey
# On the keymaster: create a key pair (RSA, 2048 bits).
node keymaster {
ssh::authkey::master { alice: }
}
# On an ssh server:
# Authorize alice''s key to authenticate her on this server.
node sshserver {
ssh::authkey::server { alice: }
}
# On a client:
# Install alice''s private key, so she can log in from there.
node sshclient {
ssh::authkey::client { alice: }
}
Comparisons
-----------
ssh\::authkey aims to provide a complete solution for managing ssh keys for
users, with a well-defined and documented interface. Here is how it
compares to the other ssh-related tools available in Puppet:
sshkey
......
sshkey is a native type in Puppet. It manages host key pairs, and it might
be made to manage user key pairs too, but it won''t generate them or
install
them into authorized_keys files on servers.
ssh_authorized_key
..................
ssh_authorized_key is a native type in Puppet for managing ssh *public*
keys for users. It will install or remove public keys into authorized_keys
files on servers, but it won''t create key pairs, or manage the private
half
of the key pair. It also has a few `quirks
<http://projects.reductivelabs.com/issues/1164>`_.
Authorized keys recipe
......................
The `Authorized keys recipe
<http://reductivelabs.com/trac/puppet/wiki/Recipes/Authorized_keys>`_
provides many of the same features as ssh\::authkey. However it has
several problems:
* It''s poorly documented.
* It doesn''t provide installable module code.
* The provided code mixes together general key classes and definitions, of
the type provided by ssh\::authkey, with the particulars of how the author
wants to manage his accounts.
* It enforces root ownership and control of the key files.
Assumptions and Limitations
---------------------------
* The keymaster must currently be colocated with the puppetmaster, since
the keymaster reads file from the file system, which in Puppet always
refers to files on the puppetmaster.
* The created private keys are unencrypted, i.e. they have empty
passphrases. Users can add passphrases themselves using ssh-keygen -p, or,
if you feel you need the keys to have passphrases, you could probably add a
passphrase-creation step before distributing the keys. (If you create such
a facility, please consider submitting it for inclusion into
ssh\::authkey.) Note however, that in general there is no way to force
users to encrypt their private keys, since even if you force a user to
create a passphrase, they can always remove it later with ssh-keygen -p.
There is also no way for a server to detect whether a key has a passphrase
-- nevermind a strong one. This is a limitation of ssh.
* ssh-keygen(1) (provided by the openssh-client package in Debian) must be
present on the keymaster, or ssh\::authkey::master will fail. No other ssh
binaries or packages are required on any hosts (ssh\::authkey just
manipulates key files).
* find(1) on the puppetmaster must support the ``-mtime`` and ``-newermt``
options, if you want to use the maxdaysold and mincreationdate parameters,
respectively. GNU find supports these options.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.