Puppet users - Aug 2012 - Possible to copy ssh key from node A to node B?

Hi,

I would like to write a class that can copy /root/.ssh/id_dsa from node A 
to node B.

class sshkeycopy {
>    exec {"ssh-keygen -q -t dsa -f /root/.ssh/id_dsa -P
''''":
>       creates => "/root/.ssh/id_dsa.pub"
>    }
>    file {"/root/.ssh/id_dsa":
>       mode   => "644",
>       owner  => root,
>       group  => root,
>    }
>    exec {"???":
>       subscribe => Exec["ssh-keygen -q -t dsa -f /root/.ssh/id_dsa
-P ''''"],
>       refreshonly => true
>    }
> }

The puppet master can login to node B without passphrase and append a key

cat .ssh/id_rsa.pub | ssh b@B ''cat >>
.ssh/authorized_keys''

So the question is how to copy /root/.ssh/id_dsa.pub from node A to the 
puppet master and then push it to node B?

Hugs,
Sandra

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/UZoM9krZK74J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Sandra,

On the run so no time to write up a quick example - but take a look at exported
resources.  There''s a design patterns page --

http://docs.puppetlabs.com/guides/exported_resources.html

These are designed to do what you''re looking for.

-Eric 

--

Eric Shamow
Professional Services
http://puppetlabs.com/
(c)631.871.6441

Join us for PuppetConf 2012 at the Mission Bay Convention Center in San
Francisco, California on September 27th and 28th --> http://bit.ly/pcsig12


On Thursday, August 30, 2012 at 9:41 AM, Sandra Schlichting wrote:
> Hi,
> 
> I would like to write a class that can copy /root/.ssh/id_dsa from node A
to node B.
> 
> > class sshkeycopy {
> >    exec {"ssh-keygen -q -t dsa -f /root/.ssh/id_dsa -P
''''":
> >       creates => "/root/.ssh/id_dsa.pub"
> >    }
> >    file {"/root/.ssh/id_dsa":
> >       mode   => "644",
> >       owner  => root,
> >       group  => root,
> >    }
> >    exec {"???":
> >       subscribe => Exec["ssh-keygen -q -t dsa -f
/root/.ssh/id_dsa -P ''''"],
> >       refreshonly => true
> >    }
> > }
> 
> The puppet master can login to node B without passphrase and append a key
> 
> cat .ssh/id_rsa.pub | ssh b@B ''cat >>
.ssh/authorized_keys''
> 
> So the question is how to copy /root/.ssh/id_dsa.pub from node A to the
puppet master and then push it to node B?
> 
> Hugs,
> Sandra
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/UZoM9krZK74J.
> To post to this group, send email to puppet-users@googlegroups.com
(mailto:puppet-users@googlegroups.com).
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
(mailto:puppet-users+unsubscribe@googlegroups.com).
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Eric
 
> On the run so no time to write up a quick example - but take a look at 
> exported resources.  There''s a design patterns page --
>
> http://docs.puppetlabs.com/guides/exported_resources.html
>
> These are designed to do what you''re looking for.
>
 
Wow. That looks very complicated. =) I suppose it requires a database 
backend?

Does there exist a SSH key management module, where the puppet master 
generates the private and public keys and pushes them to the nodes?

Hugs,
Sandra

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/pKPGEE_wMtEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 8/30/12, Sandra Schlichting <littlesandra88@gmail.com>
wrote:
> Does there exist a SSH key management module, where the puppet master
> generates the private and public keys and pushes them to the nodes?
There''s an sshauth module at
http://projects.reductivelabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns
that I''ve used successfully on a 2.7.x puppetmaster.  It handles
public & private key generation and exchange, but doesn''t handle
known_hosts.  It doesn''t require a DB backend though; the keys are
stored on the puppetmaster and just pushed out to nodes that need
them.

There are a number of ssh related modules on the forge
(http://forge.puppetlabs.com/modules?q=ssh) but I''ve not used any of
them so can''t comment on their usefulness or robustness.

Hope this helps,

Matt.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, 2012-08-30 at 09:42 -0400, Eric Shamow wrote:
> On Thursday, August 30, 2012 at 9:41 AM, Sandra Schlichting wrote:
> 
> > Hi,
> > 
> > I would like to write a class that can copy /root/.ssh/id_dsa from
node A to node B.
> > 
> > 
> > The puppet master can login to node B without passphrase and append a
key
> > 
> > cat .ssh/id_rsa.pub | ssh b@B ''cat >>
.ssh/authorized_keys''
> > 
> > So the question is how to copy /root/.ssh/id_dsa.pub from node A to
the puppet master and then push it to node B?
> On the run so no time to write up a quick example - but take a look at
> exported resources.  There''s a design patterns page --
> 
> http://docs.puppetlabs.com/guides/exported_resources.html
> 
> These are designed to do what you''re looking for.
Exported resources can do most of what you want, but there''s still one
key problem that they don''t solve: Getting the ssh public key
(/root/.ssh/id_rsa.pub or whatever) from the node to the puppet master.

The only solution that I''ve seen for this so far is to write a custom
fact which would read the key from root/.ssh/id_rsa.pub and store it in
a variable like $root_ssh_id_rsa_pub or something - but that requires
that you run puppet twice! First to generate the key, then second to
read the key from the fact and publish the exported resource.

Does anyone have any better ideas?

I currently have a really nasty hack with a generator script that runs
on the puppet master, which works, but is a bit fragile - and will fail
if I ever want to scale to multiple puppet masters. It looks like this:
https://gist.github.com/3531206

-- 
Calvin Walton <calvin.walton@kepstin.ca>

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Aug 30, 2012 at 11:40 AM, Calvin Walton
<calvin.walton@kepstin.ca> wrote:
> On Thu, 2012-08-30 at 09:42 -0400, Eric Shamow wrote:
>> On Thursday, August 30, 2012 at 9:41 AM, Sandra Schlichting wrote:
>>
>> > Hi,
>> >
>> > I would like to write a class that can copy /root/.ssh/id_dsa from
node A to node B.
>> >
>> >
>> > The puppet master can login to node B without passphrase and
append a key
>> >
>> > cat .ssh/id_rsa.pub | ssh b@B ''cat >>
.ssh/authorized_keys''
>> >
>> > So the question is how to copy /root/.ssh/id_dsa.pub from node A
to the puppet master and then push it to node B?
>
>> On the run so no time to write up a quick example - but take a look at
>> exported resources.  There''s a design patterns page --
>>
>> http://docs.puppetlabs.com/guides/exported_resources.html
>>
>> These are designed to do what you''re looking for.
>
> Exported resources can do most of what you want, but there''s still
one
> key problem that they don''t solve: Getting the ssh public key
> (/root/.ssh/id_rsa.pub or whatever) from the node to the puppet master.
>
> The only solution that I''ve seen for this so far is to write a
custom
> fact which would read the key from root/.ssh/id_rsa.pub and store it in
> a variable like $root_ssh_id_rsa_pub or something - but that requires
> that you run puppet twice! First to generate the key, then second to
> read the key from the fact and publish the exported resource.
>
> Does anyone have any better ideas?
>
> I currently have a really nasty hack with a generator script that runs
> on the puppet master, which works, but is a bit fragile - and will fail
> if I ever want to scale to multiple puppet masters. It looks like this:
> https://gist.github.com/3531206

Here is the script we use to do the same.  I am not proud of all the
locking stuff.  Not sure if it is necessary or not, but it works.
Just set $hostkeydir and $userkeydir for your environment, and it will
manage ssh host keys.  It will also do user keys, but I didn''t put
examples of that in the gist.

git://gist.github.com/3534504.git

-- 
Chad M. Huneycutt

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Chad

Here is the script we use to do the same.  I am not proud of all the
> locking stuff.  Not sure if it is necessary or not, but it works. 
> Just set $hostkeydir and $userkeydir for your environment, and it will 
> manage ssh host keys.  It will also do user keys, but I didn''t put
> examples of that in the gist. 
>
> git://gist.github.com/3534504.git

It looks very impressive, but I can''t really figure out how to use it.

 ~/ssh# ./sshkeys.pl --dsa --host=ttt.e.com --user=rrr --genknownhosts 
Unable to open lock file at ./sshkeys.pl line 239.
~/ssh# ./sshkeys.pl --dsa --host=ttt.e.com --user=rrr --genknownhosts 
--addauth
Unknown option: addauth

I have set

our $hostkeydir = ''/root/ssh/hostkeys'';
our $userkeydir = ''/root/ssh/userkeys'';
our $known_hosts_copy = ''/root/ssh/gen/ssh_known_hosts'';

If you could share the puppet module you use, it would be very helpful =)

Hugs,
Sandra

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/vR7zhEKP9FoJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>
> There''s an sshauth module at 
>
>
http://projects.reductivelabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns
> that I''ve used successfully on a 2.7.x puppetmaster.  It handles 
> public & private key generation and exchange, but doesn''t
handle
> known_hosts.  It doesn''t require a DB backend though; the keys are
> stored on the puppetmaster and just pushed out to nodes that need 
> them. 
>
That sounds exactly what I need =)

About known_hosts. So that just means I have to login the first time 
myself, and answer "yes" to the fingerprint?
 
> There are a number of ssh related modules on the forge 
> (http://forge.puppetlabs.com/modules?q=ssh) but I''ve not used any
of
> them so can''t comment on their usefulness or robustness. 
>
This one also looks good
https://github.com/ghoneycutt/puppet-ssh

Have you tried that one?

Hugs,
Sandra


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/iwbrzIeBIEsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 31.08.2012 14:32, Sandra Schlichting wrote:
>     There''s an sshauth module at
>    
http://projects.reductivelabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns
>    
<http://projects.reductivelabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns>
>
>     that I''ve used successfully on a 2.7.x puppetmaster.  It
handles
>     public & private key generation and exchange, but doesn''t
handle
>     known_hosts.  It doesn''t require a DB backend though; the keys
are
>     stored on the puppetmaster and just pushed out to nodes that need
>     them.
>
>
> That sounds exactly what I need =)
>
> About known_hosts. So that just means I have to login the first time
> myself, and answer "yes" to the fingerprint?
Err, no. In a well-maintained environment, it should never be necessary 
to manually approve a host key.

Usually you should always distribute all host keys to all clients with 
one of the common @@ssh_key Export/Collect patterns. That is totally 
unrelated to authentication though.


Regards, D

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>
> Err, no. In a well-maintained environment, it should never be necessary 
> to manually approve a host key. 
>
I would prefer that too.
 
> Usually you should always distribute all host keys to all clients with 
> one of the common @@ssh_key Export/Collect patterns. That is totally 
> unrelated to authentication though. 
>
Can it be done without introducing a database?

I would really like not introduce a database to my puppet master.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/EPQL0gh8CPUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Friday, August 31, 2012 8:38:03 AM UTC-5, Sandra Schlichting
wrote:
>
> Err, no. In a well-maintained environment, it should never be necessary 
>> to manually approve a host key. 
>>
>
> I would prefer that too.
>  
>
>> Usually you should always distribute all host keys to all clients with 
>> one of the common @@ssh_key Export/Collect patterns. That is totally 
>> unrelated to authentication though. 
>>
>
> Can it be done without introducing a database?
>
> I would really like not introduce a database to my puppet master.
>  
>
 
It depends a bit on how you define "database".   Certainly you need
some
kind of data store on the master in which to record the keys you want to 
distribute.  To use exported resources for the job, that data store must be 
managed by a relational DBMS.
 
If you''re willing to put a fair amount of effort into it, however, then
you
could likely work up something that recorded keys in an hiera-accessible 
data file, or even in a Puppet manifest file.  The Puppet code for *
distributing* the keys in this case wouldn''t need to be much more 
complicated, but you''d have that whole custom <something> for
managing the
keys.
 
John
 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/R3tpZe_ivpYJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Sorry, Sandra, I started to add a comment at the bottom with usage,
but apparently I never saved it.  Although the script can do user keys
as well, this just addresses host keys.  I have a cron script that
generates the known hosts file as well:

0,10,20,30,40,50 * * * * /tr01/scripts/sshkeys.pl --genknownhosts

The script will either retrieve the key if it already exists, or
generate a new one if it doesn''t.  $ccbp_realname is just the fqdn.

class ssh::server::rh {
  $rsahostkey = generate("$pm_scripts/sshkeys.pl",
"--private",
"--rsa", "--host", "$ccbp_realname")
  $rsahostkeypub = generate("$pm_scripts/sshkeys.pl",
"--rsa",
"--host", "$ccbp_realname")
  $dsahostkey = generate("$pm_scripts/sshkeys.pl",
"--private",
"--dsa", "--host", "$ccbp_realname")
  $dsahostkeypub = generate("$pm_scripts/sshkeys.pl",
"--dsa",
"--host", "$ccbp_realname")

  file { "/etc/ssh/ssh_host_rsa_key":
    content => $rsahostkey,
    mode => 0400, owner => root, group => root,
  }

  file { "/etc/ssh/ssh_host_rsa_key.pub":
    content => $rsahostkeypub,
    mode => 0444, owner => root, group => root,
  }

  file { "/etc/ssh/ssh_host_dsa_key":
    content => $dsahostkey,
    mode => 0400, owner => root, group => root,
  }

  file { "/etc/ssh/ssh_host_dsa_key.pub":
    content => $dsahostkeypub,
    mode => 0444, owner => root, group => root,
  }

}

On Fri, Aug 31, 2012 at 5:21 AM, Sandra Schlichting
<littlesandra88@gmail.com> wrote:
> Hi Chad
>
>
>> Here is the script we use to do the same.  I am not proud of all the
>> locking stuff.  Not sure if it is necessary or not, but it works.
>> Just set $hostkeydir and $userkeydir for your environment, and it will
>> manage ssh host keys.  It will also do user keys, but I didn''t
put
>> examples of that in the gist.
>>
>> git://gist.github.com/3534504.git
>
>
> It looks very impressive, but I can''t really figure out how to use
it.
>
>  ~/ssh# ./sshkeys.pl --dsa --host=ttt.e.com --user=rrr --genknownhosts
> Unable to open lock file at ./sshkeys.pl line 239.
> ~/ssh# ./sshkeys.pl --dsa --host=ttt.e.com --user=rrr --genknownhosts
> --addauth
> Unknown option: addauth
>
> I have set
>
> our $hostkeydir = ''/root/ssh/hostkeys'';
> our $userkeydir = ''/root/ssh/userkeys'';
> our $known_hosts_copy = ''/root/ssh/gen/ssh_known_hosts'';
>
> If you could share the puppet module you use, it would be very helpful =)
>
> Hugs,
> Sandra
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/vR7zhEKP9FoJ.
>
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.


-- 
Chad M. Huneycutt

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 2012-08-31 15:38, Sandra Schlichting wrote:
>     Err, no. In a well-maintained environment, it should never be necessary
>     to manually approve a host key.
>
>
> I would prefer that too.
>
>     Usually you should always distribute all host keys to all clients with
>     one of the common @@ssh_key Export/Collect patterns. That is totally
>     unrelated to authentication though.
>
>
> Can it be done without introducing a database?
>
> I would really like not introduce a database to my puppet master.
As John said, some kind of store''ll be unavoidable. If you''re
concerned
about performance, puppetdb seems the way to go. I''ve had awesome 
results compared to classic storeconfig.

If you''re generally ill-disposed re RDBMS on your puppetmaster,
you''ll
probably go best by generating all keys on the master and push the 
processed files from there to the nodes. For one site, I''ve whipped up 
that solution in a few hours, complete with puppet integration: a 
puppet/ruby function checks whether the key is already available or 
needs to be created, another function creates the know_hosts.

The downside of the second method is that you collect all your private 
keys on the puppet master. Not that that would make any difference in 
case of a break-in on your puppetmaster...


Best Regards, David

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Chad
 
> Sorry, Sandra, I started to add a comment at the bottom with usage, 
> but apparently I never saved it.  Although the script can do user keys 
> as well, this just addresses host keys.  I have a cron script that 
> generates the known hosts file as well: 
>
[snip]

Wow. Easy and simple solution to a complex problem.

Thanks for your scripts =)

Hugs,
Sandra

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/hX5CGhG4Y4gJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.