Puppet users - Jun 2012 - how to avoid ssh_authorized_key duplicates ?

Hi all, I appreciate any help about 2 questions.

 First one is about how to avoid duplicate lines in authorized_keys,
having something like :

 define add_ssh_key( $key, $type ) {

            $username       = $title

            ssh_authorized_key{ "${username}_${key}":
                    ensure  => present,
                    key     => $key,
                    type    => $type,
                    user    => $username,
                    require => file["/home/$username/.ssh/
authorized_keys"]

            }

    }

 The fact is while I''m looking for solution I found a reference to
file_line customs facts into https://github.com/puppetlabs/puppetlabs-stdlib,
it''s amazing functionality for run on agents, so my second question is
about documentacion for customs facts, where can i find it ?

  Thanks in advanced,
   eduardo.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi, you should check this out:
	http://lmgtfy.com/?q=puppet+custom+facts

On Jun 5, 2012, at 8:17 AM, eduardo wrote:
> The fact is while I''m looking for solution I found a reference to
> file_line customs facts into
https://github.com/puppetlabs/puppetlabs-stdlib,
> it''s amazing functionality for run on agents, so my second
question is
> about documentacion for customs facts, where can i find it ?
> 
>  Thanks in advanced,
>   eduardo.
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

On 06/05/2012 05:17 PM, eduardo wrote:
>  First one is about how to avoid duplicate lines in authorized_keys,
> having something like :
> 
>  define add_ssh_key( $key, $type ) {
> 
>             $username       = $title
> 
>             ssh_authorized_key{ "${username}_${key}":
>                     ensure  => present,
>                     key     => $key,
>                     type    => $type,
>                     user    => $username,
>                     require => file["/home/$username/.ssh/
> authorized_keys"]
> 
>             }
> 
>     }
this should not produce duplicate lines by any means.

It *will* however include the public key into the name of each key,
which may be what''s annoying you.

Why are you wrapping the ssh_authorized_key? Are you allowing the same
key to lots of different users?

If so, you could try and make things more readably by only using the
first 12 or so characters from the pubkey for the generated name (e.g.
using http://docs.puppetlabs.com/references/stable/function.html#sprintf).

But honestly, I would add the key name as a third parameter and name the
resources like this:

define add_ssh_key( $key, $type, $keyname ) {
            $username       = $title
            ssh_authorized_key{ "${keyname}_for_${username}":
		...
}

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks you Felix for your answer, yes i''m trying to allow the same
key for diferents users and I''m checking your advised, it''s
welcome.

 I had been looking for more control on authorized_keys content files.
I''m trying another version using Ruby DSL ENC getting advantage of
ruby language power.

├── actkeys
│   └── manifests
│       └── init.rb

 Having init.rb something like :

 hostclass :actkeys , :arguments => {''accounts'' =>
AST::ASTArray.new([])} do
  accounts = scope.lookupvar(''accounts'')

   ----

   accounts.each_with_index do |account, i|
    raise Puppet::Error, "accounts[#{i}] must be a Hash" unless
account.kind_of?(Hash)

    ---


  I think this way is great because allow us compare parameters class
values against file''s contents and anything on agent environment
nevertheless I pretty sure might be a simple pure puppet solution.
Meanwhile, I''m learning at the same enjoy puppet package.

  I appreciate your help
  eduardo.

On 7 jun, 03:49, Felix Frank <felix.fr...@alumni.tu-berlin.de>
wrote:
> Hi,
>
> On 06/05/2012 05:17 PM, eduardo wrote:
>
>
>
>
>
>
>
>
>
> >  First one is about how to avoid duplicate lines in authorized_keys,
> > having something like :
>
> >  define add_ssh_key( $key, $type ) {
>
> >             $username       = $title
>
> >             ssh_authorized_key{ "${username}_${key}":
> >                     ensure  => present,
> >                     key     => $key,
> >                     type    => $type,
> >                     user    => $username,
> >                     require => file["/home/$username/.ssh/
> > authorized_keys"]
>
> >             }
>
> >     }
>
> this should not produce duplicate lines by any means.
>
> It *will* however include the public key into the name of each key,
> which may be what''s annoying you.
>
> Why are you wrapping the ssh_authorized_key? Are you allowing the same
> key to lots of different users?
>
> If so, you could try and make things more readably by only using the
> first 12 or so characters from the pubkey for the generated name (e.g.
> usinghttp://docs.puppetlabs.com/references/stable/function.html#sprintf).
>
> But honestly, I would add the key name as a third parameter and name the
> resources like this:
>
> define add_ssh_key( $key, $type, $keyname ) {
>             $username       = $title
>             ssh_authorized_key{ "${keyname}_for_${username}":
>                 ...
>
> }
>
> HTH,
> Felix
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

To be more clear, I''m trying to allow the same key for diferents
users but also, tests are tell me that ssh_authorized_key
functionality always add keys without any previous check of authorized
file contents so If the key was there it''s inserted on each loop agent
-> master, having as result duplicate lines.

 That''s why I decided Ruby DSL ENC version having init.rb

 hostclass :actkeys , :arguments => {''accounts'' =>
AST::ASTArray.new([])} do
  accounts = scope.lookupvar(''accounts'')

   -----

   accounts.each_with_index do |account, i|
    raise Puppet::Error, "accounts[#{i}] must be a Hash" unless
account.kind_of?(Hash)

     account_defaults = {
      ''file_key'' => ''/home/'' +
account[''login''] + ''/.ssh/
authorized_keys'',
      ''key_name'' => account[''login''] +
''_'' + account[''email''],
     }

     # Fill in defaults
     account.merge!(account_defaults) { |k, v1, v2| v1 }

    # Must be user resource
    user(account[''login''],
         :ensure  => ''present'')

    file(account[''file_key''],
         :ensure => ''present'')

    line_chk = "ssh-#{account[''type'']}
#{account[''key'']}
#{account[''key_name'']}"

    if  ! File.open(account[''file_key'']).lines.any? { |line|
line.chomp == "#{line_chk}" }
       ssh_authorized_key(account[''key_name''],
           :ensure  => ''present'',
           :key     => account[''key''],
           :type    => account[''type''],
           :user    => account[''login'']
       )
    end

 But this version getting error permission denied in
File.open( ... ) :

err: Could not retrieve catalog from remote server: Error 400 on
SERVER: Puppet::Parser::Compiler failed with error Errno::EACCES:
Permission denied - /home/ppuser6/.ssh/authorized_keys on node casa

 I fixed /etc/puppet/fileserver.conf and permission files but I don''t
get it yet.

  Any suggestion ??.

  Regards,
  eduardo.


On 7 jun, 10:32, eduardo <erodr...@gmail.com>
wrote:
>  Thanks you Felix for your answer, yes i''m trying to allow the
same
> key for diferents users and I''m checking your advised,
it''s welcome.
>
>  I had been looking for more control on authorized_keys content files.
> I''m trying another version using Ruby DSL ENC getting advantage of
> ruby language power.
>
> ├── actkeys
> │   └── manifests
> │       └── init.rb
>
>  Having init.rb something like :
>
>  hostclass :actkeys , :arguments => {''accounts'' =>
> AST::ASTArray.new([])} do
>   accounts = scope.lookupvar(''accounts'')
>
>    ----
>
>    accounts.each_with_index do |account, i|
>     raise Puppet::Error, "accounts[#{i}] must be a Hash" unless
> account.kind_of?(Hash)
>
>     ---
>
>   I think this way is great because allow us compare parameters class
> values against file''s contents and anything on agent environment
> nevertheless I pretty sure might be a simple pure puppet solution.
> Meanwhile, I''m learning at the same enjoy puppet package.
>
>   I appreciate your help
>   eduardo.
>
> On 7 jun, 03:49, Felix Frank <felix.fr...@alumni.tu-berlin.de> wrote:
>
>
>
>
>
>
>
> > Hi,
>
> > On 06/05/2012 05:17 PM, eduardo wrote:
>
> > >  First one is about how to avoid duplicate lines in
authorized_keys,
> > > having something like :
>
> > >  define add_ssh_key( $key, $type ) {
>
> > >             $username       = $title
>
> > >             ssh_authorized_key{ "${username}_${key}":
> > >                     ensure  => present,
> > >                     key     => $key,
> > >                     type    => $type,
> > >                     user    => $username,
> > >                     require =>
file["/home/$username/.ssh/
> > > authorized_keys"]
>
> > >             }
>
> > >     }
>
> > this should not produce duplicate lines by any means.
>
> > It *will* however include the public key into the name of each key,
> > which may be what''s annoying you.
>
> > Why are you wrapping the ssh_authorized_key? Are you allowing the same
> > key to lots of different users?
>
> > If so, you could try and make things more readably by only using the
> > first 12 or so characters from the pubkey for the generated name (e.g.
> >
usinghttp://docs.puppetlabs.com/references/stable/function.html#sprintf).
>
> > But honestly, I would add the key name as a third parameter and name
the
> > resources like this:
>
> > define add_ssh_key( $key, $type, $keyname ) {
> >             $username       = $title
> >             ssh_authorized_key{
"${keyname}_for_${username}":
> >                 ...
>
> > }
>
> > HTH,
> > Felix
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Jun 7, 2012, at 5:26 PM, eduardo wrote:
> To be more clear, I''m trying to allow the same key for diferents
> users but also, tests are tell me that ssh_authorized_key
> functionality always add keys without any previous check of authorized
> file contents so If the key was there it''s inserted on each loop
agent
It checks based on the comment.  If the comment is the same, the key
won''t be replaced.

That being said, it seems to believe the comment and reset it''s
internal username based on the comment at times, so ensure that your comments
don''t contain usernames.

http://projects.puppetlabs.com/issues/14809

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks you Jo for your help, issue solved. there is not duplicate
lines keeping same value on comment field.

  Regards,
   Eduardo.

On 7 jun, 21:13, Jo Rhett <jrh...@netconsonance.com>
wrote:
> On Jun 7, 2012, at 5:26 PM, eduardo wrote:
>
> > To be more clear, I''m trying to allow the same key for
diferents
> > users but also, tests are tell me that ssh_authorized_key
> > functionality always add keys without any previous check of authorized
> > file contents so If the key was there it''s inserted on each
loop agent
>
> It checks based on the comment.  If the comment is the same, the key
won''t be replaced.
>
> That being said, it seems to believe the comment and reset it''s
internal username based on the comment at times, so ensure that your comments
don''t contain usernames.
>
> http://projects.puppetlabs.com/issues/14809
>
> --
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet
projects.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi again,

On 06/08/2012 02:26 AM, eduardo wrote:
>  To be more clear, I''m trying to allow the same key for diferents
> users but also, tests are tell me that ssh_authorized_key
> functionality always add keys without any previous check of authorized
> file contents so If the key was there it''s inserted on each loop
agent
> -> master, having as result duplicate lines.
the provider will only look at the key name (or comment, as Jo puts it).
It will never duplicate these names/comments. It will, however, install
the same key with as many different names as you want.

There is no good way around this issue, except *all* your keys are
puppet managed. Then you could tell your agent to purge keys.
> err: Could not retrieve catalog from remote server: Error 400 on
> SERVER: Puppet::Parser::Compiler failed with error Errno::EACCES:
> Permission denied - /home/ppuser6/.ssh/authorized_keys on node casa
I don''t really understand what you''re trying to do.

Are you reading authorized_keys files from inside a manifest? That
cannot work: The puppet master has no access to the files on your agent
boxen.

If you want ssh_authorized_key to work differently, you will have no
choice but to deploy a patched provider to your agents.
Don''t do this though - that approach is way beyond advanced.

Please check very carefully exactly what''s getting duplicated. You may
want to send a short example to the list.

Regards,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Felix, yes, I''m trying to reading authorized key files to check
new line. thanks for explain me it''s a wrong way. Finally, i realize
about key name content (comment) is essencial and tests are good.

  I appreciate your help,
   regards,
   eduardo.

On 8 jun, 03:55, Felix Frank <felix.fr...@alumni.tu-berlin.de>
wrote:
> Hi again,
>
> On 06/08/2012 02:26 AM, eduardo wrote:
>
> >  To be more clear, I''m trying to allow the same key for
diferents
> > users but also, tests are tell me that ssh_authorized_key
> > functionality always add keys without any previous check of authorized
> > file contents so If the key was there it''s inserted on each
loop agent
> > -> master, having as result duplicate lines.
>
> the provider will only look at the key name (or comment, as Jo puts it).
> It will never duplicate these names/comments. It will, however, install
> the same key with as many different names as you want.
>
> There is no good way around this issue, except *all* your keys are
> puppet managed. Then you could tell your agent to purge keys.
>
> > err: Could not retrieve catalog from remote server: Error 400 on
> > SERVER: Puppet::Parser::Compiler failed with error Errno::EACCES:
> > Permission denied - /home/ppuser6/.ssh/authorized_keys on node casa
>
> I don''t really understand what you''re trying to do.
>
> Are you reading authorized_keys files from inside a manifest? That
> cannot work: The puppet master has no access to the files on your agent
> boxen.
>
> If you want ssh_authorized_key to work differently, you will have no
> choice but to deploy a patched provider to your agents.
> Don''t do this though - that approach is way beyond advanced.
>
> Please check very carefully exactly what''s getting duplicated. You
may
> want to send a short example to the list.
>
> Regards,
> Felix
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.