Hi. I''m wondering is there a way to manage ssh servers, in a way that every machine has it''s own key? I''m talking about these files: /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub Ideally I would like to have a module that replaces those files with files from puppet server, for specific host, if they are available, and if not, then to gather them from the client. I think this is not possible, so is there some sensible way to manage those files in a different fashion? Holding every file under: /etc/puppet/files/ssh/<%= hostname => is a possibilty, but if someone has done this already I would appretiate some hints. I''m trying to set up persistent ssh server keys across reinstallations of hosts... -- Jakov Sosic www.srce.unizg.hr -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic <jsosic@srce.hr> wrote:> Hi. > > I''m wondering is there a way to manage ssh servers, in a way that every > machine has it''s own key?I''ve used the "private" file server mechanism to serve out node sensitive files. The following snippet shows this: class ssh::config($sshd_config_source "puppet:///modules/ssh/etc/ssh/sshd_config") { file { "/etc/ssh/sshd_config": source => $sshd_config_source, require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/pam.d/sshd": source => "puppet:///modules/ssh/etc/pam.d/sshd", require => [ Class["ssh::install"], Class["libpam_radius_auth"] ], } file { "/etc/ssh/ssh_host_dsa_key": mode => 0600, source => "puppet:///private/etc/ssh/ssh_host_dsa_key", require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_dsa_key.pub": source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub", require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_rsa_key": mode => 0600, source => "puppet:///private/etc/ssh/ssh_host_rsa_key", require => Class["ssh::install"], notify => Service["ssh"], } file { "/etc/ssh/ssh_host_rsa_key.pub": source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub", require => Class["ssh::install"], notify => Service["ssh"], } } -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Take a look at https://github.com/gtcoc/sshkeys for an idea. It isn''t documented well (yet), so here are some rough notes: * the module assumes you are using hiera to supply default arguments. you can see the default values in the hieradata directory * the sshkeys::hostkeys class best shows how it works: + the master makes a call (via generate) to a perl script (sshkeys.pl) + the perl script either retrieves or generates a new key for the host * assuming you set up hiera properly (or otherwise specify default parameter values), I think all you should need to use this is: on the puppet master: include sshkeys::install and on the nodes: include sshkeys::hostkeys * if you want to distribute the keys into a known_hosts file, then you have to set up a file serving location for the file and pull it down. I created a module that I use for serving various files in our environment, and I set the parameter ''sshkeys::install::knownhosts_servedir'' to put the file in the proper place. Then on all of my hosts I add a file resource: file { ''/etc/ssh/ssh_known_hosts'': source => ''puppet:///modules/ccfiles/ssh_known_hosts'', mode => ''0444'', owner => ''root'', group => ''root'', } Hope that helps, Chad On Mon, Nov 26, 2012 at 2:47 PM, Jakov Sosic <jsosic@srce.hr> wrote:> Hi. > > I''m wondering is there a way to manage ssh servers, in a way that every > machine has it''s own key? > > I''m talking about these files: > > /etc/ssh/ssh_host_dsa_key > /etc/ssh/ssh_host_dsa_key.pub > /etc/ssh/ssh_host_rsa_key > /etc/ssh/ssh_host_rsa_key.pub > /etc/ssh/ssh_host_key > /etc/ssh/ssh_host_key.pub > > > Ideally I would like to have a module that replaces those files with > files from puppet server, for specific host, if they are available, and > if not, then to gather them from the client. > > I think this is not possible, so is there some sensible way to manage > those files in a different fashion? Holding every file under: > > /etc/puppet/files/ssh/<%= hostname => > > is a possibilty, but if someone has done this already I would appretiate > some hints. > > > I''m trying to set up persistent ssh server keys across reinstallations > of hosts... > > > -- > Jakov Sosic > www.srce.unizg.hr > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- Chad M. Huneycutt -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:> file { "/etc/ssh/ssh_host_rsa_key.pub": > source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",I didn''t know about this one, do I need any special configuration of the puppetmaster for this to work, or is this a builtin? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Nov 26, 2012 at 4:05 PM, Jakov Sosic <jsosic@srce.hr> wrote:> On 11/26/2012 08:54 PM, Matt Zagrabelny wrote: > >> file { "/etc/ssh/ssh_host_rsa_key.pub": >> source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub", > > I didn''t know about this one, do I need any special configuration of the > puppetmaster for this to work, or is this a builtin?Hi Jakov, Here is my fileserver.conf: root@puppet:/etc/puppet# cat /etc/puppet/fileserver.conf # This file consists of arbitrarily named sections/modules # defining where files are served from and to whom # Define a section ''files'' # Adapt the allow/deny settings to your needs. Order # for allow/deny does not matter, allow always takes precedence # over deny [files] path /etc/puppet/files # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 [plugins] # allow *.example.com # deny *.evil.example.com # allow 192.168.0.0/24 [private] path /etc/puppet/private/%h allow * You would then put stuff at: /etc/puppet/private/node-01/etc/ssh/ssh_host_rsa_key . . etc. When node-01 connects your puppetmaster, it can only "see" its private file space. -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
In regard to: Re: [Puppet Users] Managing ssh server''s keys?, Matt...:> Here is my fileserver.conf:> [private] > path /etc/puppet/private/%h > allow *FWIW, we''re handling ssh keys and other sensitive full-file content nearly identically, although we we chose "/secure" rather than "/private" and we''re using %H (fqdn) rather than %h (short host name). Tim -- Tim Mooney Tim.Mooney@ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:> On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic <jsosic@srce.hr> wrote: >> Hi. >> >> I''m wondering is there a way to manage ssh servers, in a way that every >> machine has it''s own key? > > I''ve used the "private" file server mechanism to serve out node sensitive files.Thank you for the idea. Now only problem that is left is how to call a script to generate keys if files are not accessible in private section :-/ I know one can do something like this: file { ''/etc/ssh/ssh_host_rsa_key.pub'': ensure => file, mode => 0644, source => [ ''puppet:///private/etc/ssh/ssh_host_rsa_key.pub'', ''puppet:///modules/sshd/ssh_host_rsa_key.pub'', ], require => Package[''openssh-server''], notify => Service[''sshd''], } and put some blank default files in there, but I would much prefer to build the keys if they are not there, and I presume I need some puppet magic here :-/ Any ideas? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Nov 28, 2012 at 1:50 PM, Jakov Sosic <jsosic@srce.hr> wrote:> On 11/26/2012 08:54 PM, Matt Zagrabelny wrote: >> On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic <jsosic@srce.hr> wrote: >>> Hi. >>> >>> I''m wondering is there a way to manage ssh servers, in a way that every >>> machine has it''s own key? >> >> I''ve used the "private" file server mechanism to serve out node sensitive files. > > > Thank you for the idea. Now only problem that is left is how to call a > script to generate keys if files are not accessible in private section :-/ > > I know one can do something like this: > > file { ''/etc/ssh/ssh_host_rsa_key.pub'': > ensure => file, > mode => 0644, > source => [ > ''puppet:///private/etc/ssh/ssh_host_rsa_key.pub'', > ''puppet:///modules/sshd/ssh_host_rsa_key.pub'', > ], > require => Package[''openssh-server''], > notify => Service[''sshd''], > } > > and put some blank default files in there, but I would much prefer to > build the keys if they are not there, and I presume I need some puppet > magic here :-/ > > Any ideas?Part of our server bootstrapping process is to copy over the ssh keys to the puppetmaster after puppet has installed openssh-server. As far as generating the keys, that should be pretty straightforward using ssh-keygen. -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 11/28/2012 09:10 PM, Matt Zagrabelny wrote:> Part of our server bootstrapping process is to copy over the ssh keys > to the puppetmaster after puppet has installed openssh-server.So how do you do that with puppet? Or you use cobbler/FAI or that kind of tool for that particular task?> As far as generating the keys, that should be pretty straightforward > using ssh-keygen.I know that but I want to generate it only if keys are not in folder... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Nov 28, 2012 at 2:14 PM, Jakov Sosic <jsosic@srce.hr> wrote:> On 11/28/2012 09:10 PM, Matt Zagrabelny wrote: > >> Part of our server bootstrapping process is to copy over the ssh keys >> to the puppetmaster after puppet has installed openssh-server. > > So how do you do that with puppet? Or you use cobbler/FAI or that kind > of tool for that particular task?Copy+paste. Not all of our processes are automated...yet.> >> As far as generating the keys, that should be pretty straightforward >> using ssh-keygen. > > I know that but I want to generate it only if keys are not in folder...Whatever is generating your node manifest (on the master) could also perform either: 1) scp ssh keys from the node to master or 2) run ssh-keygen on master Unless you are using the "default" node, this should work. -mz -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 11/28/2012 09:19 PM, Matt Zagrabelny wrote:> Whatever is generating your node manifest (on the master) could also > perform either: > > 1) scp ssh keys from the node to master > or > 2) run ssh-keygen on master > > Unless you are using the "default" node, this should work.I have an idea about #2. I won''t copy keys from nodes, but generate it on the master if they are not there already. If I succeed I will post solution. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 11/28/2012 09:19 PM, Matt Zagrabelny wrote:> Whatever is generating your node manifest (on the master) could also > perform either: > > 1) scp ssh keys from the node to master > or > 2) run ssh-keygen on master > > Unless you are using the "default" node, this should work.OK I''ve found elegant way to do it. Basicly this is what I do: class ssh::server { ... ... if generate(''/etc/puppet/modules/ssh/scripts/generate_host_keys.sh'', $keys_dir) { include ssh::server::keys } ... ... } class ssh::server::keys { file { ''/etc/ssh/ssh_host_dsa_key'': ... ... file { ''/etc/ssh/ssh_host_rsa_key'': ... ... } And generate script looks like this: #!/bin/bash # check arg0: dir for keys [ -z "$1" ] && echo "Please specify directory for key generation" && exit 1 KEYSDIR="$1" # set umask umask 0022 # create directory tree if it does not exist [ ! -d "$KEYSDIR" ] && mkdir -p $KEYSDIR do_rsa1_keygen do_rsa_keygen do_dsa_keygen chmod -R 640 $KEYSDIR/* exit 0 do_rsa1/do_rsa/do_dsa are bash functions that I got from /etc/init.d/sshd on CentOS 6... And it works like a charm! First puppet run, keys are generated, and put into "private" section under fqdn''s dir, and propagated to client, and that''s it. After reinstallation of the client, files are already in private, so they won''t be regenerated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.