Puppet users - Jan 2010 - Managing authorized_keys

Hi,

I am trying to manage the file authorized_keys with puppet. I am using
http://reductivelabs.com/trac/puppet/wiki/Recipes/Authorized_keys as
reference.

I was not able to delete an unwanted key from the file. Unfortuantely
there are "/" within the key:

ssh-rsa AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test

This is a problem for the perl-command:

debug: Executing ''/usr/bin/perl -ni -e ''print unless
/^\Qssh-rsa
AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
\E$/'' ''/root/.ssh/authorized_keys''''
err:
//nine_authorized_keys/Nine_authorized_keys::Nine_authorized_keys::Revoke[test]/Line[remove-key-test]/Exec[remove
from file remove-key-test]/returns: change from notrun to 0 failed:
/usr/bin/perl -ni -e ''print unless /^\Qssh-rsa
AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
\E$/'' ''/root/.ssh/authorized_keys'' returned 255
instead of one of [0]
at /etc/puppet/development/definitions/line.pp:25

The perl-oneliner gives the following error due to the "/" in the key.

Number found where operator expected at -e line 1, near "/^\Qssh-rsa
AAAAB3NzaC1yc2EAA/5"
        (Missing operator before 5?)

In order to use /bin/sed, I have to escape the "/", wich is not a
problem. I have found a function for that in the SimpleTextRecipes.
Unfortunately, there is an "\n" at the end of the line, so that the
sed
throws an error, too:

debug: Executing ''/bin/sed -i ''/ssh-rsa AAAAB3NzaC1yc2EAA
\/5GytXDjAR3XoxTR6uMtestkey@test
/d''
''/root/.ssh/authorized_keys''''
err:
//nine_authorized_keys/Nine_authorized_keys::Nine_authorized_keys::Revoke[test]/Line[remove-key-test]/Exec[remove
from file remove-key-test]/returns: change from notrun to 0 failed: /bin/sed -i
''/ssh-rsa AAAAB3NzaC1yc2EAA\/5GytXDjAR3XoxTR6uM= testkey@test
/d'' ''/root/.ssh/authorized_keys'' returned 1 instead
of one of [0]
at /etc/puppet/development/definitions/line.pp:25   

If I run the sed without the "\n" between "testkey@test" and
"/d''" the
sed itself works.

Can anyone give me a hint how to either make perl ignore the "/"
within
the key or to get rid of the "/n" when using sed? Perl did not remove
the line if I use the escaped "/".

Greetz,
Andre

-- 
Andre Timmermann <andre@nine.ch>

-- 
Mit freundlichen Gruessen

Andre Timmermann
Nine Internet Solutions AG, Albisriederstr. 243c, CH-8047 Zuerich
Tel +41 44 637 40 00 | Direkt +41 44 637 40 06 | Fax +41 44 637 40 01


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

May I suggest using this recipe 
http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth ?
It''s more recent and uses the ssh_authorized_key resource in puppet.



Silviu

Andre Timmermann wrote:
> Hi,
>
> I am trying to manage the file authorized_keys with puppet. I am using
> http://reductivelabs.com/trac/puppet/wiki/Recipes/Authorized_keys as
> reference.
>
> I was not able to delete an unwanted key from the file. Unfortuantely
> there are "/" within the key:
>
> ssh-rsa AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
>
> This is a problem for the perl-command:
>
> debug: Executing ''/usr/bin/perl -ni -e ''print unless
/^\Qssh-rsa
> AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
> \E$/'' ''/root/.ssh/authorized_keys''''
> err:
//nine_authorized_keys/Nine_authorized_keys::Nine_authorized_keys::Revoke[test]/Line[remove-key-test]/Exec[remove
from file remove-key-test]/returns: change from notrun to 0 failed:
/usr/bin/perl -ni -e ''print unless /^\Qssh-rsa
AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
> \E$/'' ''/root/.ssh/authorized_keys'' returned 255
instead of one of [0]
> at /etc/puppet/development/definitions/line.pp:25
>
> The perl-oneliner gives the following error due to the "/" in the
key.
>
> Number found where operator expected at -e line 1, near "/^\Qssh-rsa
> AAAAB3NzaC1yc2EAA/5"
>         (Missing operator before 5?)
>
> In order to use /bin/sed, I have to escape the "/", wich is not a
> problem. I have found a function for that in the SimpleTextRecipes.
> Unfortunately, there is an "\n" at the end of the line, so that
the sed
> throws an error, too:
>
> debug: Executing ''/bin/sed -i ''/ssh-rsa AAAAB3NzaC1yc2EAA
> \/5GytXDjAR3XoxTR6uM> testkey@test
> /d''
> ''/root/.ssh/authorized_keys''''
> err:
//nine_authorized_keys/Nine_authorized_keys::Nine_authorized_keys::Revoke[test]/Line[remove-key-test]/Exec[remove
from file remove-key-test]/returns: change from notrun to 0 failed: /bin/sed -i
''/ssh-rsa AAAAB3NzaC1yc2EAA\/5GytXDjAR3XoxTR6uM= testkey@test
> /d'' ''/root/.ssh/authorized_keys'' returned 1
instead of one of [0]
> at /etc/puppet/development/definitions/line.pp:25   
>
> If I run the sed without the "\n" between
"testkey@test" and "/d''" the
> sed itself works.
>
> Can anyone give me a hint how to either make perl ignore the "/"
within
> the key or to get rid of the "/n" when using sed? Perl did not
remove
> the line if I use the escaped "/".
>
> Greetz,
> Andre
>
>   

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Hi,
> 
> I am trying to manage the file authorized_keys with puppet. I am using
> http://reductivelabs.com/trac/puppet/wiki/Recipes/Authorized_keys as
> reference.
> 
> I was not able to delete an unwanted key from the file. Unfortuantely
> there are "/" within the key:
> 
> ssh-rsa AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
> 
> This is a problem for the perl-command:
> 
> debug: Executing ''/usr/bin/perl -ni -e ''print unless
/^\Qssh-rsa
> AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
> \E$/'' ''/root/.ssh/authorized_keys''''
Change /.../ to m{...} .


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Am Mittwoch, den 13.01.2010, 22:56 +0200 schrieb Silviu
Paragina:
> May I suggest using this recipe 
> http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth ?
> It''s more recent and uses the ssh_authorized_key resource in
puppet.
Thank you for the hint. This is going far beyound what we trying to
achieve. We just want to Manage /root/.ssh/authorized_keys as we don''t
change the keys for the users. So we need root-keysf for backup,
management-tasks and so on.

I will check the routine which is used to install and revoke keys,
perhaps I can reuse it.

Greetz,
Andre


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Am Mittwoch, den 13.01.2010, 16:01 -0500 schrieb Andrew Schulman:
> > 
> > debug: Executing ''/usr/bin/perl -ni -e ''print unless
/^\Qssh-rsa
> > AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
> > \E$/''
''/root/.ssh/authorized_keys''''
> 
> Change /.../ to m{...} .
This has no effect - it does not delete the key.

I have discovered, that "testkey@test" is the problem, the
"@" is
interpreted as an perl-array. Unfortunately escaping it with "\" does
not help...

Greetz,
Andre


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Andre Timmermann wrote:
> Am Mittwoch, den 13.01.2010, 22:56 +0200 schrieb Silviu Paragina:
>   
>> May I suggest using this recipe 
>> http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth ?
>> It''s more recent and usesI will check the routine which is
used to install and revoke keys, the ssh_authorized_key resource in puppet.
>>     
>
> Thank you for the hint. This is going far beyound what we trying to
> achieve. We just want to Manage /root/.ssh/authorized_keys as we
don''t
> change the keys for the users. So we need root-keysf for backup,
> management-tasks and so on.
>   
If that is all take a look at:
http://reductivelabs.com/static_files/TypeReference.html#ssh-authorized-key
it does just what you need. :)


Silviu
> I will check the routine which is used to install and revoke keys,
> perhaps I can reuse it.
>
> Greetz,
> Andre
>
>   

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Silviu,

Am Donnerstag, den 14.01.2010, 12:59 +0200 schrieb Silviu Paragina:
> If that is all take a look at:
> http://reductivelabs.com/static_files/TypeReference.html#ssh-authorized-key
> it does just what you need. :)
Ok, thanks, that looks great. One single problem left ;)

How do I read those keys from a file?

$read_key_file
file("/etc/puppet/${environment}/templates/authorized_keys/${key_file}",
"/dev/null")

appends an newline at the key so that the comment will be on a new
line. 

It would be cool if I coult "type" and "name" diriectly from
the
keyfile. (Sorry these are my first steps with puppet and ruby)

Greetz,
Andre



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 14/01/10 10:34, Andre Timmermann wrote:
> Am Mittwoch, den 13.01.2010, 16:01 -0500 schrieb Andrew Schulman:
> 
>>>
>>> debug: Executing ''/usr/bin/perl -ni -e ''print
unless /^\Qssh-rsa
>>> AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
>>> \E$/''
''/root/.ssh/authorized_keys''''
>>
>> Change /.../ to m{...} .
> 
> This has no effect - it does not delete the key.
> 
> I have discovered, that "testkey@test" is the problem, the
"@" is
> interpreted as an perl-array. Unfortunately escaping it with "\"
does
> not help...
Hmm, that should work.

I created a file named "test" containing:

ssh-rsa AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
asdasdasd
asdasdasd

I then ran this (all on one line):

perl -ni -e ''print unless m{^\Qssh-rsa
AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test\E}'' test

This strips the ssh-rsa line from the file, as expected.

R.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Robin,

Am Donnerstag, den 14.01.2010, 17:40 +0000 schrieb Robin Bowes:
> Hmm, that should work.
> 
> I created a file named "test" containing:
> 
> ssh-rsa AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test
> asdasdasd
> asdasdasd
> 
> I then ran this (all on one line):
> 
> perl -ni -e ''print unless m{^\Qssh-rsa
> AAAAB3NzaC1yc2EAA/5GytXDjAR3XoxTR6uM= testkey@test\E}'' test
> 
> This strips the ssh-rsa line from the file, as expected.
Yes, taht works. But unfortunately this is not on a single line. The
parser puts an newline right after the testkey@test and this will make
this statement fail.

Greetz,
Andre



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Andre Timmermann wrote:
> Hi Silviu,
>
> Am Donnerstag, den 14.01.2010, 12:59 +0200 schrieb Silviu Paragina:
>
>   
>> If that is all take a look at:
>>
http://reductivelabs.com/static_files/TypeReference.html#ssh-authorized-key
>> it does just what you need. :)
>>     
>
> Ok, thanks, that looks great. One single problem left ;)
>
> How do I read those keys from a file?
>
> $read_key_file >
file("/etc/puppet/${environment}/templates/authorized_keys/${key_file}",
> "/dev/null")
>
>   
You should use modules, they get the stuff more organized, not a 
spinning vortex of files, templates, manifests and plugins. :-) 
http://reductivelabs.com/trac/puppet/wiki/ModuleOrganisation - this 
documentation is a tad old, but the only thing different now is that you 
should use lib instead of plugins (if you will need those) in the 
directory structure.

If you use templates use the template function not the file function. 
But I don''t know why you would have a template instead of a file in
this
case

You can use the template function like here 
http://reductivelabs.com/trac/puppet/wiki/LanguageTutorial#functions . 
Pretty much like you used it. The advantage is that you don''t have to 
fully qualify the files, opposed to the file function.

Example (let''s your module is called sshkeys, and you have in 
/etc/puppet/modules/sshkeys/templates/$key_filename the right file)
ssh_authorized_key
{
.....
key => template(''sshkeys/$key_filename'')
}

Silviu
> appends an newline at the key so that the comment will be on a new
> line. 
>   
You probably have a newline after the key in the file, remove the 
newline. This will happen with templates also.
As an alternative you may use the resubst function, but that will make 
the manifest more hard to read and uses more cpu cycles.
> It would be cool if I coult "type" and "name" diriectly
from the
> keyfile. (Sorry these are my first steps with puppet and ruby)
>
>
>   
You could with resubst, but I think it will get things more complicated, 
rather than easy.


Silviu


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Silviu

Am Freitag, den 15.01.2010, 03:31 +0200 schrieb Silviu Paragina:
 
> You should use modules, they get the stuff more organized, not a 
> spinning vortex of files, templates, manifests and plugins. :-) 
hehe ;)
> http://reductivelabs.com/trac/puppet/wiki/ModuleOrganisation - this 
> documentation is a tad old, but the only thing different now is that you 
> should use lib instead of plugins (if you will need those) in the 
> directory structure.
> 
> If you use templates use the template function not the file function. 
> But I don''t know why you would have a template instead of a file
in this
> case
Yes, the file() was just one try. I am using the templates function. And
I wrote my own function which chomps the newline.

All in all it not very easy to build modules which reflect an existing
infrastructure. For example if you have apache installed, then you may
wand a monit-configuration too. But puppet is not designed to detect if
apache is installed, it will install apache itslef and then
automatically monit.

So I have to start with some basic things which are common on all
machines (>500).

Thank you for your help, i am sure, i will ask more advanced questions
in future ;)

-- 
Mit freundlichen Gruessen

Andre Timmermann
Nine Internet Solutions AG, Albisriederstr. 243c, CH-8047 Zuerich
Tel +41 44 637 40 00 | Direkt +41 44 637 40 06 | Fax +41 44 637 40 01


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Andre Timmermann wrote:
> Hi Silviu
>
> Am Freitag, den 15.01.2010, 03:31 +0200 schrieb Silviu Paragina:
>  
>   
>> You should use modules, they get the stuff more organized, not a 
>> spinning vortex of files, templates, manifests and plugins. :-) 
>>     
>
> hehe ;)
>
>   
>> http://reductivelabs.com/trac/puppet/wiki/ModuleOrganisation - this 
>> documentation is a tad old, but the only thing different now is that
you
>> should use lib instead of plugins (if you will need those) in the 
>> directory structure.
>>
>> If you use templates use the template function not the file function. 
>> But I don''t know why you would have a template instead of a
file in this
>> case
>>     
>
> Yes, the file() was just one try. I am using the templates function. And
> I wrote my own function which chomps the newline.
>
> All in all it not very easy to build modules which reflect an existing
> infrastructure. For example if you have apache installed, then you may
> wand a monit-configuration too. But puppet is not designed to detect if
> apache is installed, it will install apache itslef and then
> automatically monit.
>
> So I have to start with some basic things which are common on all
> machines (>500).
>
> Thank you for your help, i am sure, i will ask more advanced questions
> in future ;)
>
>   
I''m not sure if you meant it like this but, you should separate the 
modules by program installed. Ie in the above case you should have a 
module with apache and another module with monit.

Complex interactions between programs I add in a new module dir called 
services. I pretty much do what is exaplained here 
http://reductivelabs.com/trac/puppet/wiki/PuppetBestPractice as I  found 
it to my liking.

Anyhow start however you want, as you will probably decide what to do 
with experience.


Silviu

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Oh and read the New user manifest tips. It''s a thread on the list 
currently (aka work in progress) but it should give you a heads-up for 
common rookie mistakes.

Silviu


Andre Timmermann wrote:
> Hi Silviu
>
> Am Freitag, den 15.01.2010, 03:31 +0200 schrieb Silviu Paragina:
>  
>   
>> You should use modules, they get the stuff more organized, not a 
>> spinning vortex of files, templates, manifests and plugins. :-) 
>>     
>
> hehe ;)
>
>   
>> http://reductivelabs.com/trac/puppet/wiki/ModuleOrganisation - this 
>> documentation is a tad old, but the only thing different now is that
you
>> should use lib instead of plugins (if you will need those) in the 
>> directory structure.
>>
>> If you use templates use the template function not the file function. 
>> But I don''t know why you would have a template instead of a
file in this
>> case
>>     
>
> Yes, the file() was just one try. I am using the templates function. And
> I wrote my own function which chomps the newline.
>
> All in all it not very easy to build modules which reflect an existing
> infrastructure. For example if you have apache installed, then you may
> wand a monit-configuration too. But puppet is not designed to detect if
> apache is installed, it will install apache itslef and then
> automatically monit.
>
> So I have to start with some basic things which are common on all
> machines (>500).
>
> Thank you for your help, i am sure, i will ask more advanced questions
> in future ;)
>
>   

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.