Puppet users - Mar 2010 - Managing known_hosts

Having an issue with appending ssh keys to the known_hosts file on systems.

I have multiple modules that need to use ssh into remote servers
without being prompted for a password, and therefore multiple places
that I need to manage/add to a known_hosts file for. If I simply put a
copy of known_hosts in the files/ directory of the module, and push it
out, any other modules that did the same are going to find the file
replaced. How can I manage this better?

If I use append_if_no_such_line, then I have to paste the key into the
manifest, which is ugly. It would be nice if append_if_no_such_line
could somehow take a source or template parameter.

Doug

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi
> I have multiple modules that need to use ssh into remote servers
> without being prompted for a password, and therefore multiple places
> that I need to manage/add to a known_hosts file for. If I simply put a
> copy of known_hosts in the files/ directory of the module, and push it
> out, any other modules that did the same are going to find the file
> replaced. How can I manage this better?
how about the sshkey type?  
http://docs.reductivelabs.com/references/stable/type.html#sshkey

cheers pete

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Oh, yes, right... duh... thanks.

Definitely better than append_if_no_such_line() which dumps the key to the log.

On Fri, Mar 12, 2010 at 9:54 AM, Peter Meier <peter.meier@immerda.ch>
wrote:
> Hi
>
>> I have multiple modules that need to use ssh into remote servers
>> without being prompted for a password, and therefore multiple places
>> that I need to manage/add to a known_hosts file for. If I simply put a
>> copy of known_hosts in the files/ directory of the module, and push it
>> out, any other modules that did the same are going to find the file
>> replaced. How can I manage this better?
>
> how about the sshkey type?
> http://docs.reductivelabs.com/references/stable/type.html#sshkey
>
> cheers pete
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>


-- 
Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Mar 12, 2010 at 10:47 AM, Douglas Garstang
<doug.garstang@gmail.com> wrote:
> Oh, yes, right... duh... thanks.
>
> Definitely better than append_if_no_such_line() which dumps the key to the
log.
>
> On Fri, Mar 12, 2010 at 9:54 AM, Peter Meier <peter.meier@immerda.ch>
wrote:
>> Hi
>>
>>> I have multiple modules that need to use ssh into remote servers
>>> without being prompted for a password, and therefore multiple
places
>>> that I need to manage/add to a known_hosts file for. If I simply
put a
>>> copy of known_hosts in the files/ directory of the module, and push
it
>>> out, any other modules that did the same are going to find the file
>>> replaced. How can I manage this better?
>>
>> how about the sshkey type?
>> http://docs.reductivelabs.com/references/stable/type.html#sshkey
WHat about known_hosts???

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Douglas Garstang wrote:
>>> http://docs.reductivelabs.com/references/stable/type.html#sshkey
>
> WHat about known_hosts???
For /etc/ssh/ssh_known_hosts, using exported resources is quite handy:

http://reductivelabs.com/trac/puppet/wiki/ExportedResources

Something like:

  # Collect ssh keys and add them to /etc/ssh/ssh_known_hosts
  case $sshrsakey {
    '''': { alert("No sshrsakey found for $fqdn") }
    default: {
      @@sshkey { $fqdn:
        alias => [$hostname, $ipaddress],
        key   => $sshrsakey,
        type  => rsa,
      }
    }
  }
  Sshkey <<||>>

Note that until http://projects.reductivelabs.com/issues/2014 is
fixed, you might also want to use a file resource to make the known
hosts file readable by non-root users:

  file { "/etc/ssh/ssh_known_hosts":
    mode    => 644,
  }

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An optimist believes we live in the best of all possible worlds.
A pessimist is sure of it!

Am Saturday 13 March 2010 schrieb mir Todd Zullinger:
>   # Collect ssh keys and add them to /etc/ssh/ssh_known_hosts
>   case $sshrsakey {
>     '''': { alert("No sshrsakey found for $fqdn")
}
>     default: {
>       @@sshkey { $fqdn:
        ^^
>         alias => [$hostname, $ipaddress],
>         key   => $sshrsakey,
>         type  => rsa,
>       }
>     }
>   }
>   Sshkey <<||>>
           ^^^^^^^

Can you explain me this syntax?

Regards
Oli

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi
>>   # Collect ssh keys and add them to /etc/ssh/ssh_known_hosts
>>   case $sshrsakey {
>>     '''': { alert("No sshrsakey found for
$fqdn") }
>>     default: {
>>       @@sshkey { $fqdn:
>         ^^
exporting resources

>>         alias => [$hostname, $ipaddress],
>>         key   => $sshrsakey,
>>         type  => rsa,
>>       }
>>     }
>>   }
>>   Sshkey <<||>>
>            ^^^^^^^
collecting exported resources.

You find more about that here:
http://projects.reductivelabs.com/projects/puppet/wiki/Exported_Resources


It es very powerful if you want to distribute "configurations" related
to one host to another host.

cheers pete


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuc2tEACgkQbwltcAfKi38htQCeMZt6xHgmFInl996wmGHf4RaU
b98AnjLcAdNFguzK+Wq1/Fp9ttBqLfjz
=rRjz
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Am Sunday 14 March 2010 schrieb mir Peter Meier:
> collecting exported resources.
> 
> You find more about that here:
> http://projects.reductivelabs.com/projects/puppet/wiki/Exported_Resourc
> es
> 
> 
> It es very powerful if you want to distribute "configurations"
related
> to one host to another host.
Cool stuff, thanks for your explanations.

Regards
Oli