Alan Sparks
2010-Feb-26 19:58 UTC
[Puppet Users] ssh_authorized_key - same key, different accounts?
Puppet 0.24.8... I am trying to use ssh_authorized_key to create
passwordless logins for a couple of accounts. The important thing to
note is I''m trying to get the source ("root@somehost" below)
as part of
the key, and the same key needs to be added to two different accounts on
the system.
It appears that the resource name is the only place I can set the
originating source (whatever the correct term is) for the key.
ssh_authorized_key { "root@somehost":
ensure => present,
type => ssh-rsa,
target => ''/home/xx/.ssh/authorized_keys'',
key => ''xxxx removed for brevity xxx'',
user => "xx",
require => User["xx"]
}
So the above will create an authorized_keys value like:
ssh-rsa xxxx removed for brevity xxx root@somehost
But if I need the same key installed for a different user, I''m stuck --
I can''t use the same resource name to create the
"root@somehost"
restriction. And I can''t see another way to specify that value.
Is there any way to accomplish this, without abandoning
ssh_authorized_key? Thanks in advance.
-Alan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Paul Lathrop
2010-Feb-26 20:02 UTC
Re: [Puppet Users] ssh_authorized_key - same key, different accounts?
On Fri, Feb 26, 2010 at 11:58 AM, Alan Sparks <asparks@doublesparks.net> wrote:> Puppet 0.24.8... I am trying to use ssh_authorized_key to create > passwordless logins for a couple of accounts. The important thing to > note is I''m trying to get the source ("root@somehost" below) as part of > the key, and the same key needs to be added to two different accounts on > the system. > > It appears that the resource name is the only place I can set the > originating source (whatever the correct term is) for the key. > > ssh_authorized_key { "root@somehost": > ensure => present, > type => ssh-rsa, > target => ''/home/xx/.ssh/authorized_keys'', > key => ''xxxx removed for brevity xxx'', > user => "xx", > require => User["xx"] > } > > So the above will create an authorized_keys value like: > ssh-rsa xxxx removed for brevity xxx root@somehost > > But if I need the same key installed for a different user, I''m stuck -- > I can''t use the same resource name to create the "root@somehost" > restriction. And I can''t see another way to specify that value. > > Is there any way to accomplish this, without abandoning > ssh_authorized_key? Thanks in advance. > -AlanAbandon ssh_authorized_key - it is terrible. My $.02 Regards, Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Marc Fournier
2010-Mar-01 17:13 UTC
Re: [Puppet Users] ssh_authorized_key - same key, different accounts?
On Fri, 26 Feb 2010 12:58:51 -0700 Alan Sparks <asparks@doublesparks.net> wrote:> Puppet 0.24.8... I am trying to use ssh_authorized_key to create > passwordless logins for a couple of accounts. The important thing to > note is I''m trying to get the source ("root@somehost" below) as part > of the key, and the same key needs to be added to two different > accounts on the system.AFAIK, the last part of an ssh key is a free comment, and it is used by puppet to uniquely identify ssh_authorized_key resources. What I usually do is call my resources something like: ssh_authorized_key { "marc''s key on root''s account": ... } ssh_authorized_key { "marc''s key on marc''s account": ... }> It appears that the resource name is the only place I can set the > originating source (whatever the correct term is) for the key. > > ssh_authorized_key { "root@somehost": > ensure => present, > type => ssh-rsa, > target => ''/home/xx/.ssh/authorized_keys'', > key => ''xxxx removed for brevity xxx'', > user => "xx", > require => User["xx"] > }The user and target parameters are mutually exclusive. You shouldn''t need to use both. I''m not sure which one takes over if both are defined. An ssh key is expected to be one long string without spaces, so I can imagine in this case the ssh_authorized_key type is unable to decide where the key ends and where the comment starts, as the key has whitespaces. Maybe we should file a bug about this: ssh_authorized_key should refuse keys which have whitespaces. In any case, what about doing this instead: # xxxx removed for brevity xxx ssh_authorized_key { "root@somehost": ensure => absent, ... }> So the above will create an authorized_keys value like: > ssh-rsa xxxx removed for brevity xxx root@somehost > > But if I need the same key installed for a different user, I''m stuck > -- I can''t use the same resource name to create the "root@somehost" > restriction. And I can''t see another way to specify that value. > > Is there any way to accomplish this, without abandoning > ssh_authorized_key? Thanks in advance.Paul: why do you think ssh_authorized_key is terrible ? Do you think the behaviour should be different ? Marc -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Paul Lathrop
2010-Mar-02 23:43 UTC
Re: [Puppet Users] ssh_authorized_key - same key, different accounts?
On Mon, Mar 1, 2010 at 9:13 AM, Marc Fournier <marc.fournier@camptocamp.com> wrote:> Paul: why do you think ssh_authorized_key is terrible ? Do you think > the behaviour should be different ?1) Lots of intermittent bugs that are hard to reproduce, harder to track down, and yet at scale show up often enough to cause problems. 2) Poorly designed. I''ve moved on to just using generate() to manage the content of my .ssh/authorized_keys files. Simple, always works. --Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.