Hi all, I already use Puppet to collect and distribute SSH host public keys between machines I manage. I now want to collect private host keys from each node and store them on the puppetmaster, so when I rebuild a node it receives the same key. Is there an easy way of doing this? Thanks, Jonathan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Jonathan, On Thu, Jan 26, 2012 at 5:40 AM, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:> Hi all, > > I already use Puppet to collect and distribute SSH host public keys between > machines I manage. I now want to collect private host keys from each node > and store them on the puppetmaster, so when I rebuild a node it receives the > same key.Sure.> Is there an easy way of doing this?I don''t know about "easy", but here is what I am doing: Set up a "private" fileserver for your nodes. This is where I put sensitive node data (like ssh host keys). Then configure your manifest to pull in the files from there. Here are some of the relevant files: $ cat /etc/puppet/fileserver.conf # This file consists of arbitrarily named sections/modules # defining where files are served from and to whom # Define a section ''files'' # Adapt the allow/deny settings to your needs. Order # for allow/deny does not matter, allow always takes precedence # over deny [files] path /etc/puppet/files # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 [plugins] # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 [private] path /etc/puppet/private/%h allow * $ cat /etc/puppet/modules/ssh/manifests/init.pp class ssh::install { package { "ssh": ensure => present, } } class ssh::service { service { "ssh": ensure => running, enable => true, hasrestart => true, require => Class["ssh::install"], } } class ssh::config($sshd_config_source "puppet:///modules/ssh/etc/ssh/sshd_config") { file { "/etc/ssh/sshd_config": owner => "root", group => "root", mode => 0644, source => $sshd_config_source, require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_dsa_key": owner => "root", group => "root", mode => 0600, source => "puppet:///private/etc/ssh/ssh_host_dsa_key", require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_dsa_key.pub": owner => "root", group => "root", mode => 0644, source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub", require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_rsa_key": owner => "root", group => "root", mode => 0600, source => "puppet:///private/etc/ssh/ssh_host_rsa_key", require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_rsa_key.pub": owner => "root", group => "root", mode => 0644, source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub", require => Class["ssh::install"], notify => Service["ssh"], } } class ssh($sshd_config_source = "puppet:///modules/ssh/etc/ssh/sshd_config") { include ssh::install, ssh::service class { "ssh::config": sshd_config_source => $sshd_config_source } } $ ls -alh /etc/puppet/private/nodehostname/etc/ssh total 24K drwxr-xr-x 2 root root 4.0K Jan 18 11:35 . drwxr-xr-x 5 root root 4.0K Jan 18 11:35 .. -rw-r--r-- 1 root root 668 Jan 18 11:35 ssh_host_dsa_key -rw-r--r-- 1 root root 598 Jan 18 11:35 ssh_host_dsa_key.pub -rw-r--r-- 1 root root 1.7K Jan 18 11:35 ssh_host_rsa_key -rw-r--r-- 1 root root 390 Jan 18 11:35 ssh_host_rsa_key.pub HTH, -Matt Zagrabelny -- "This space was intentionally left blank as to not advertise to you what cellular provider nor what iDevice was used to send you an email." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 26/01/12 15:22, Matt Zagrabelny wrote:> I don''t know about "easy", but here is what I am doing:Thanks Matt, that''s helpful. This addresses how to distribute keys to node from the fileserver, but I wonder if there is a mechanism where if the key doesn''t exist on the fileserver, the key that currently exists on the node is pulled in and saved for future reference - i.e. when new nodes are created. I''m trying to avoid any situation where I have to remember to do anything manually, you see. It always leads to failure down the line! Cheers, Jonathan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> This addresses how to distribute keys to node from the fileserver, but I wonder if there is a mechanism where if the key doesn''t exist on the fileserver, the key that currently exists on the node is pulled in and saved for future reference - i.e. when new nodes are created.I believe a filebucket is what you are looking for: http://docs.puppetlabs.com/man/filebucket.html http://docs.puppetlabs.com/references/latest/type.html#filebucket Should be able to use it to back up your SSH keys during a puppet run. -Steve -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jan 26, 2012 at 9:35 AM, Jonathan Gazeley <jonathan.gazeley@bristol.ac.uk> wrote:> On 26/01/12 15:22, Matt Zagrabelny wrote: >> >> I don''t know about "easy", but here is what I am doing: > > > Thanks Matt, that''s helpful. > > This addresses how to distribute keys to node from the fileserver, but I > wonder if there is a mechanism where if the key doesn''t exist on the > fileserver, the key that currently exists on the node is pulled in and saved > for future reference - i.e. when new nodes are created. > > I''m trying to avoid any situation where I have to remember to do anything > manually, you see. It always leads to failure down the line!I think the consensus is that puppet drives the state of a node. It is somewhat unconventional to have the node drive the state of the node. Remember, there is always some amount of manual stuff to do. 1) Install the OS (or clone your VM.) 2) Set the IP/hostname 3) Install puppet 4) Have the puppetmaster sign the cert Adding on scp''ing the host keys to your puppetmaster isn''t too big of a deal. -mz -- "This space was intentionally left blank as to not advertise to you what cellular provider nor what iDevice was used to send you an email." -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 26/01/12 16:02, Matt Zagrabelny wrote:> On Thu, Jan 26, 2012 at 9:35 AM, Jonathan Gazeley > <jonathan.gazeley@bristol.ac.uk> wrote: >> On 26/01/12 15:22, Matt Zagrabelny wrote: >>> >>> I don''t know about "easy", but here is what I am doing: >> >> >> Thanks Matt, that''s helpful. >> >> This addresses how to distribute keys to node from the fileserver, but I >> wonder if there is a mechanism where if the key doesn''t exist on the >> fileserver, the key that currently exists on the node is pulled in and saved >> for future reference - i.e. when new nodes are created. >> >> I''m trying to avoid any situation where I have to remember to do anything >> manually, you see. It always leads to failure down the line! > > I think the consensus is that puppet drives the state of a node. It is > somewhat unconventional to have the node drive the state of the node. > > Remember, there is always some amount of manual stuff to do. > > 1) Install the OS (or clone your VM.) > 2) Set the IP/hostname > 3) Install puppet > 4) Have the puppetmaster sign the cert > > Adding on scp''ing the host keys to your puppetmaster isn''t too big of a deal.OK. I just wondered if there was an equivalent way of using exported resources for private keys, similar to this for public keys: @@sshkey { $fqdn: type => rsa, key => $sshrsakey } I''ll have a think. Thanks, Jonathan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>> Remember, there is always some amount of manual stuff to do. >> >> 1) Install the OS (or clone your VM.) >> 2) Set the IP/hostname >> 3) Install puppet >> 4) Have the puppetmaster sign the cert >>Meh :P .. If you''re using a Xen environment, we''ve taken care of this part already, where a puppet recipe creates a new vm, sets ip addr, installs puppet and gets the certs signed. So when the new vm boots its already pulling changes as per its node definition on master :) We plan to open source the module soon at github :) -- Krish olindata.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I am relatively new to both Puppet and ssh-keys, but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ? “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jan 26, 2012 at 06:32:49PM +0000, Dan White wrote:> I am relatively new to both Puppet and ssh-keys, > but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ?This might be one of the places where erb (templates) being evaluated on the puppetmaster will help. I''m just speculating, but there''s no technological reason why the puppetmaster shouldn''t use erb/ruby to fork ssh-keygen and store the result in some local directory. The puppet template can either create a private key, or copy in the results of a previous ssh-keygen run. I don''t see technical obstacles, only security obstacles. You may not want all your ssh private keys stored in one place, for instance.> “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” > Bill Waterson (Calvin & Hobbes) > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jan 26, 1:42 pm, Christopher Wood <christopher_w...@pobox.com> wrote:> On Thu, Jan 26, 2012 at 06:32:49PM +0000, Dan White wrote: > > I am relatively new to both Puppet and ssh-keys, > > but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ? > > This might be one of the places where erb (templates) being evaluated on the puppetmaster will help. I''m just speculating, but there''s no technological reason why the puppetmaster shouldn''t use erb/ruby to fork ssh-keygen and store the result in some local directory. The puppet template can either create a private key, or copy in the results of a previous ssh-keygen run. > > I don''t see technical obstacles, only security obstacles. You may not want all your ssh private keys stored in one place, for instance. >Agreed, My first thought is to be sure a backup of the private keys is kept current and separate - and possibly in multiple locations. Any other security considerations one should consider ? In my current workplace, ssh keys are used for remote machine logins and the individual user is responsible for maintaining their own private key. I am not completely happy with this arrangement, and I am looking for information to use to make some intelligent suggestions for change. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.