Puppet users - Feb 2011 - Assign a single ssh pubkey to multiple users on the same system

Hi *,

I would like to create a pool of ssh pubkeys. The major goal is to be
able to assign a single key to multiple users on a given node/system.

Okay, lets say we have the users: foo and bar. In my manifest I''ve
created the following test definition for resource "jim":

---------------------------------------------------------------------
define sshpubkey::test($user) {

        ssh_authorized_key {
        ''jim'':
        ensure => present,
        user => "$user",
        name => "jim@unique.email",
        type  => ssh-rsa,
        key => "[...KEY...]"
      }
---------------------------------------------------------------------

I was able to pass the "$user" variable to the copy of that resource
by
placing a "sshpubkey:test" definition within the node configuration.
The
users authorized_keys file is updated accordingly.

Now I''ve just tried to install the pubkey of resource "jim"
in the
authorized_keys file of user "bar" on node1, placing a second
definition:

---------------------------------------------------------------------
node node1 {

sshpubkey::test { "jim": user => "foo"}
sshpubkey::test { "jim": user => "bar"}

}
---------------------------------------------------------------------

.. but then, of course, puppet throws a "Duplicate definition" error
because I''ve tried to reuse resource "jim" another time:

---------------------------------------------------------------------
node:~ # puppetd -o --server puppet.domain.tld --waitforcert 60 --test
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate definition: Sshpubkey::Test[jim] is already defined in file
/etc/puppet/manifests/node.pp at line 3; cannot redefine at
/etc/puppet/manifests/node.pp:4 on node puppet.domain.tld
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
---------------------------------------------------------------------

Can somebody tell me how to handle it the puppet way"?

Any sort of advice, hints and comments are much appreciated! :)

Many thanks

Jan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi *,

On 02/16/2011 11:19 AM, Jan wrote:
> I would like to create a pool of ssh pubkeys. The major goal is to be
> able to assign a single key to multiple users on a given node/system.
so here are some details on what I''m trying to do:

--------------------------------------------------------
       _______           _________      ___________
      |       |         |         |    |           |
      | node1 |---------| PUB KEY |<---| real user |
      |_______|         |_________|    |___________|
          |                                  |
          |                                  |
          |                                  |
          |                                  |
     -----------                           ******
     |         |                         **      **
  _______   _______                         USER
 |       | |       |                    *   POOL   *
 |  foo  | |  bar  |                     **      **
 |_______| |_______|                       ******

 .ssh/authorized_keys

--------------------------------------------------------

The user pool consists of key resources defined by the
ssh_authorized_key type. The users foo and bar are local system accounts.

Pubkey definition:

--------------------------------------------------------
[...]

define sshpubkey::users($systemAccount) {

        ssh_authorized_key {
        ''jim'':
        ensure => present,
        user => "$systemAccount",
        name => "unique@string.domain",
        type  => ssh-rsa,
        key => "[...]";
      }

[...]
--------------------------------------------------------

Assigning the key to different users:

--------------------------------------------------------
[...]

sshpubkey::users { "jim": systemAccount => "bar" }
sshpubkey::users { "jim": systemAccount => "foo" }

[...]
--------------------------------------------------------

At this point arrays are not working so I think that''s because the
ssh_authorized_keys function don''t know how to handle them. As another
option I had a look at the ssh::auth class but in fact this solution is
based on key distribution with automatic key generation which I don''t
need:

http://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns

I also had a look at virtual resources but I think that this approach
won''t solve my problem either. Guys, I''m stuck and could
really use some
help with this. I know that I''m missing something, so any smallest
advice is greatly appreciated. Btw. I''m using puppet 2.6.4.

Many thanks

Jan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

try this instead:

On 02/16/2011 11:19 AM, Jan wrote:
> Hi *,
> 
> I would like to create a pool of ssh pubkeys. The major goal is to be
> able to assign a single key to multiple users on a given node/system.
> 
> Okay, lets say we have the users: foo and bar. In my manifest I''ve
> created the following test definition for resource "jim":
> 
> ---------------------------------------------------------------------
> define sshpubkey::test($user) {
> 
>
    ssh_authorized_key { "$name-for-$user":
>         ensure => present,
>         user => "$user",
>         name => "jim@unique.email",
>         type  => ssh-rsa,
>         key => "[...KEY...]"
>       }
> ---------------------------------------------------------------------
In either case, you cannot name both your sshpubkey::test resources
"jim". Never ever. They must have unique names.

The whole apprach isn''t especially sound. Is your "user pool"
realized
using virtual resources?

You should have a define as follows:

define pooled_user($realname="anonymous") {
  user { "$name": description => $realname, ... }
  # insert code here to make sure ~/.ssh/ exists etc.
  ssh_authorized_key { "jim@uniqe.email_for_$name":
    key => YOUR_KEY_HERE,
    ...
  }
}

So you can have your user pool consist of virtual "pooled_user"
resources and realize at will.

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Felix,

thanks for your response.

On 02/17/2011 10:01 AM, Felix Frank wrote:

[...]
> The whole apprach isn''t especially sound. Is your "user
pool" realized
> using virtual resources?
No, I created this pool by using some simple resource definitions based
on the ssh_authorized_key function.
> You should have a define as follows:
> 
> define pooled_user($realname="anonymous") {
>   user { "$name": description => $realname, ... }
>   # insert code here to make sure ~/.ssh/ exists etc.
>   ssh_authorized_key { "jim@uniqe.email_for_$name":
>     key => YOUR_KEY_HERE,
>     ...
>   }
> }
I think I didn''t got it yet but just to stay with your example
I''m using
the following definition:

------------------------------------------------------
[...]

define pooled_user($realname="anonymous") {
  user { "$name": description => $realname, ... }
  # insert code here to make sure ~/.ssh/ exists etc.
  ssh_authorized_key { "jim@uniqe.email_for_$name":
    key => "KEY-PLACEHOLDER"
  }
}

[...]
------------------------------------------------------

When using the realize statement I don''t know which naming attribute to
use? The "key =>" contains a template or even the PEM encoded key
of
user "jim" but except it''s resource name
"jim@uniqe.email_for_$name"
there is no naming attribute for this resource.

So of course puppet throws an error when using the following definition
because virtual resource "jim" cannot be found.

------------------------------------------------------
[...]

realize(pooled_user[jim])

[...]
------------------------------------------------------

I have read about virtual resources within the documentation under
http://docs.puppetlabs.com/guides/virtual_resources.html but obviously I
don''t know how to handle them.

I''ve just started learning how to use puppet a few days ago, so it
would
be great if you could give me some additional hints on how to make it
through all this.

[...]

Jan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> No, I created this pool by using some simple resource definitions based
> on the ssh_authorized_key function.
It would be easier if you posted more of your code.
>> You should have a define as follows:
>>
>> define pooled_user($realname="anonymous") {
>>   user { "$name": description => $realname, ... }
>>   # insert code here to make sure ~/.ssh/ exists etc.
>>   ssh_authorized_key { "jim@uniqe.email_for_$name":
>>     key => YOUR_KEY_HERE,
>>     ...
>>   }
>> }
> 
> I think I didn''t got it yet but just to stay with your example
I''m using
> the following definition:
> 
> ------------------------------------------------------
> [...]
> 
> define pooled_user($realname="anonymous") {
>   user { "$name": description => $realname, ... }
>   # insert code here to make sure ~/.ssh/ exists etc.
>   ssh_authorized_key { "jim@uniqe.email_for_$name":
>     key => "KEY-PLACEHOLDER"
>   }
> }
> 
> [...]
> ------------------------------------------------------
> 
> When using the realize statement I don''t know which naming
attribute to
> use? The "key =>" contains a template or even the PEM encoded
key of
> user "jim" but except it''s resource name
"jim@uniqe.email_for_$name"
> there is no naming attribute for this resource.
> 
> So of course puppet throws an error when using the following definition
> because virtual resource "jim" cannot be found.
Sorry if I caused confusion. I didn''t mean to suggest you insert a
key-placeholder in your define. From what I inferred, you were creating
multiple accounts all sharing the same key. I now think I was mistaken
there.

Anyhow, still building on the given example, it would make most sense
for you to make the key a parameter:

define pooled_user($realname="anonymous",$key) {
  user { "$name": description => $realname, ... }
  # insert code here to make sure ~/.ssh/ exists etc.
  ssh_authorized_key { "pubkey_for_$name":
    key => $key, ...
  }
}

Then simply use it as
pooled_user {
  "jim": key => "AAAAB3N...";
  "joe": key => "AAAAB3N...";
  "jack":key => "AAAABsX...";
}

No need for virtualization or realize() if you haven''t needed it
before.

Notice that the keys can be identical. The structure will ensure the
names are not.

Hope this makes things more clear.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 02/17/2011 12:13 PM, Felix Frank wrote:

[...]
>> When using the realize statement I don''t know which naming
attribute to
>> use? The "key =>" contains a template or even the PEM
encoded key of
>> user "jim" but except it''s resource name
"jim@uniqe.email_for_$name"
>> there is no naming attribute for this resource.
>>
>> So of course puppet throws an error when using the following definition
>> because virtual resource "jim" cannot be found.
> 
> Sorry if I caused confusion. I didn''t mean to suggest you insert a
> key-placeholder in your define. From what I inferred, you were creating
> multiple accounts all sharing the same key. I now think I was mistaken
> there.
I''m sorry for such confusion I''ve been causing right from the
start. So
I think that you''ve been right with your first thoughts because what
I''m
trying to achieve is exactly what you''ve mentioned earlier:

-> A one-to-many model which makes it possible to copy a users ssh
pubkey (defined by ssh_authorized_key resource) to multiple local system
accounts on the same node in order to be able to login. E.g. user
"jim"
shall be able to login to node1 by using system users "foo" and
"bar"
and his respective private key.

I think that it shall be pretty simple to handle with puppet. I just
want to define pubkey resources and put them into classes something like
this:

-----------------------------------------------------------------------
define ssh::pubkeys::group1($systemAccount) {

        ssh_authorized_key {
        ''worker1'':
        ensure => present,
        user => "$systemAccount",
        name => "unique@string.domain",
        type  => ssh-rsa,
        key => "$key";
        ''worker2'':
        ensure => present,
        user => "$systemAccount",
        name => "worker1@uniquestring",
        type  => ssh-rsa,
        key => "$key";
      }

}

define ssh::pubkeys::group2($systemAccount) {

        ssh_authorized_key {

  [...]

}
-----------------------------------------------------------------------

Maybe I should start tagging such pubkey resources with there respective
"worker-groups" instead of grouping them by classes/definitions so
this
way I would only have to define them in one definition - is this
possible? I''m not familiar with the tagging support of puppet and just
read a few thread topics on the list.

Maybe it could work like this (note the "tag =>" parameters):

-----------------------------------------------------------------------
define ssh::pubkeys($systemAccount) {

        ssh_authorized_key {
        ''worker1'':
        ensure => present,
	tag => workergroup1
        user => "$systemAccount",
        name => "unique@string.domain",
        type  => ssh-rsa,
        key => "$key";
        ''worker2'':
        ensure => present,
	tag => workergroup2h
        user => "$systemAccount",
        name => "worker1@uniquestring",
        type  => ssh-rsa,
        key => "$key";
      }

}
-----------------------------------------------------------------------

Maybe it''s possible to assign tagged objects with a class or definition
later on? Anyway, as the last step I would like to attach a ssh-pubkey
resource to a node while being able to specify to which user a pubkey
shall be attached:

-----------------------------------------------------------------------
node node1 {

ssh::pubkeys { "jim": systemAccount =>
["bar","foo"] }

[...or...]

ssh::pubkeys { "jim": systemAccount => ["bar"] }
ssh::pubkeys { "jim": systemAccount => ["foo"] }

}
-----------------------------------------------------------------------

Hope that helps.
> Anyhow, still building on the given example, it would make most sense
> for you to make the key a parameter:
> 
> define pooled_user($realname="anonymous",$key) {
>   user { "$name": description => $realname, ... }
>   # insert code here to make sure ~/.ssh/ exists etc.
>   ssh_authorized_key { "pubkey_for_$name":
>     key => $key, ...
>   }
> }
> 
> Then simply use it as
> pooled_user {
>   "jim": key => "AAAAB3N...";
>   "joe": key => "AAAAB3N...";
>   "jack":key => "AAAABsX...";
> }
However, this pieve of code isn''t going to work because as my
definition
would look like the following...

----------------------------------------------------------------------
node node1 {

  pooled_user {
    "jim": key => "AAAAB3N...", systemuser =>
"foo";
    "jim": key => "AAAAB3N...", systemuser =>
"bar";
  }

}
----------------------------------------------------------------------

... making puppet throwing "duplicate definition" errors again because
the resource name has been declared twice.

Many thanks for your support! :)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 02/17/2011 01:14 PM, Jan wrote:

[...]
> I''m sorry for such confusion I''ve been causing right from
the start. So
> I think that you''ve been right with your first thoughts because
what I''m
> trying to achieve is exactly what you''ve mentioned earlier:
> 
> -> A one-to-many model which makes it possible to copy a users ssh
> pubkey (defined by ssh_authorized_key resource) to multiple local system
> accounts on the same node in order to be able to login. E.g. user
"jim"
> shall be able to login to node1 by using system users "foo" and
"bar"
> and his respective private key.
Maybe this addresses a new feature to the ssh_authorized_key function? I
think it would be the best do add some kind of array support to that
function being able to assign a pubkey to more then just one user?

Jan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>> Then simply use it as
>> pooled_user {
>>   "jim": key => "AAAAB3N...";
>>   "joe": key => "AAAAB3N...";
>>   "jack":key => "AAAABsX...";
>> }
> 
> However, this pieve of code isn''t going to work because as my
definition
> would look like the following...
> 
> ----------------------------------------------------------------------
> node node1 {
> 
>   pooled_user {
>     "jim": key => "AAAAB3N...", systemuser =>
"foo";
>     "jim": key => "AAAAB3N...", systemuser =>
"bar";
>   }
> 
> }
> ----------------------------------------------------------------------
> 
> ... making puppet throwing "duplicate definition" errors again
because
> the resource name has been declared twice.
> 
> Many thanks for your support! :)
And why would they both be named "jim"? I don''t even see why
you need
the $systemuser parameter. Just make the resource name be the username
on the system in question.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Felix,

On 02/17/2011 01:36 PM Felix Frank wrote:

[...]
> And why would they both be named "jim"? I don''t even see
why you need
> the $systemuser parameter. Just make the resource name be the username
> on the system in question.
thanks for your support and that you finally came up with the following
approach:

------------------------------------------------------------------------
$keys = {
  "jim@mail.com" => "igbsiabsago...",
  "joe@mail.com" => "ragpiuebsjndv...",
  ...
}

define keygroup($users) {
  $my_users = regsubst($users, "\$", "-key-$name")
  ssh_authorized_key {
    $my_users:
      key => $keys[$name],
      name => $name,
  }
}

keygroup {
  "jim@mail.com": users => [ "foo", "bar" ];
  "joe@mail.com": users => [ "foo", "bar",
"baz" ];
}
------------------------------------------------------------------------

Solving the first problem made another one came up so now I''m searching
a
way to declare the key-type in addition to the key. That''s because not
all
users might be using keys of type RSA only. Maybe somebody has another idea
on how to extend the above mentioned approach? :)

Many thanks
Jan

On 02/21/2011 12:21 AM, Jan Dennis Bungart wrote:
> $keys = {
>   "jim@mail.com" => "igbsiabsago...",
>   "joe@mail.com" => "ragpiuebsjndv...",
>   ...
> }
> 
> define keygroup($users) {
>   $my_users = regsubst($users, "\$", "-key-$name")
>   ssh_authorized_key {
>     $my_users:
>       key => $keys[$name],
>       name => $name,
>   }
> }
> 
> Solving the first problem made another one came up so now I''m
searching a
> way to declare the key-type in addition to the key. That''s because
not all
> users might be using keys of type RSA only. Maybe somebody has another idea
> on how to extend the above mentioned approach? :)
The most simple thing would be to add a second hash:

$keytype = {
  "jim@mail.com" => "rsa",
  "joe@mail.com" => "ssh-dsa",
  ...
}

and then add "type => $keytype[$name]" to the ssh_authorized key.

Nested hashes would be more "proper" but apparently they are not
without
issues (see other threads).

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.