Puppet users - Jan 2013 - ssh::auth and other ways of managing ssh keys

With puppet 3.x I was wondering if the ssh::auth module 
(http://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns) 
is still the preferred way of creating and distributing ssh keys.  The 
module hasn''t been updated since 2010 and I''ve seen several
other possible
solutions. 

Should I just use thes sh_authorized_key type?  What are people using now?


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/BmJHy-KOXC8J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 12 January 2013 01:53, Jist Anidiot <jistanidiot@gmail.com> wrote:
> With puppet 3.x I was wondering if the ssh::auth module (
>
http://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns)
> is still the preferred way of creating and distributing ssh keys.  The
> module hasn''t been updated since 2010 and I''ve seen
several other possible
> solutions.
>
Should I just use thes sh_authorized_key type?  What are people using now?


I tried the ssh::auth module when I first started using puppet but never
got it working and switched to using ssh_authorized_key and user and group
resources.
We had a small shop at the time and it was easier to make an entry for each
user.

I recently stopped using puppet to manage users and ssh keys but that''s
another story...

>
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/BmJHy-KOXC8J.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Jan 14, 2013 at 08:41:38AM +1000, Peter Brown
wrote:
> On 12 January 2013 01:53, Jist Anidiot <jistanidiot@gmail.com> wrote:
> 
> > With puppet 3.x I was wondering if the ssh::auth module (
> >
http://projects.puppetlabs.com/projects/puppet/wiki/Module_Ssh_Auth_Patterns)
> > is still the preferred way of creating and distributing ssh keys.  The
> > module hasn''t been updated since 2010 and I''ve seen
several other possible
> > solutions.
> >
> 
> Should I just use thes sh_authorized_key type?  What are people using now?
> 
> 
> I tried the ssh::auth module when I first started using puppet but never
> got it working and switched to using ssh_authorized_key and user and group
> resources.
> We had a small shop at the time and it was easier to make an entry for each
> user.
> 
> I recently stopped using puppet to manage users and ssh keys but
that''s
> another story...
> 
> 
I use the ssh:auth module, or rather I adapted the puppet-sshauth
module https://github.com/vurbia/puppet-sshauth which is an
adaptation of ssh:auth.  puppet-sshauth uses exported resources
instead of plain virtual resources.  Otherwise it is mostly
identical.

I did a lot of reworking of puppet-sshauth.  I was having 
strange issues when overriding parameters in the collection classes,
especially in sshauth::client.  I found I could not rely on the
collection syntax to override more than a single param.  So instead
I use a series of if clauses to parse all possible permutations of
potential params.  Not as elegant, but reliable.

example:

orig:

        $_home = $home ? {
                ''''      => $user ? {
                        ''''      => '''',
                        default => "/home/${user}",
                },
                default => $home,
        }

        if $ensure {
                Sshauth::Key::Client <| tag == $name |> {
                        ensure => $ensure,
                }
        }

        if $filename {
                Sshauth::Key::Client <| tag == $name |> {
                        filename => $filename,
                }
        }

[cut]

revised:

    if ( $user and $ensure and $filename ) {
        #notify {"sshauth::client: user ensure filename":}
        Sshauth::Key::Client <<| tag == $name |>> {
            user        => $user,
            ensure      => $ensure,
            filename    => $filename,
        }

    } elsif ( $user and $ensure ) {
        #notify {"sshauth::client: user and ensure":}
        Sshauth::Key::Client <<| tag == $name |>> {
            user        => $user,
            ensure      => $ensure,
        }

    } elsif ( $ensure and $filename ) {
        #notify {"sshauth::client: ensure and filename":}
        Sshauth::Key::Client <<| tag == $name |>> {
            ensure      => $ensure,
            filename     => $filename,
        }
[cut]



I''ve created a puppet-sshauth repo on github:
https://github.com/ashleygould/puppet-sshauth

I would very much like to work with others on perfecting this
module.  Management of keypairs is really useful.  2 improvements I
imagine are using hiera as the keystore and adding ablity to install
the same pubkey into multiple user accounts on a single node.




-- 

-ashley

Did you try poking at it with a stick?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, 14 Jan 2013, Ashley Gould wrote:
> 
> I''ve created a puppet-sshauth repo on github:
> https://github.com/ashleygould/puppet-sshauth
> 
> I would very much like to work with others on perfecting this
> module.  Management of keypairs is really useful.  2 improvements I
> imagine are using hiera as the keystore and adding ablity to install
> the same pubkey into multiple user accounts on a single node.
Hello,

I also reworked the ssh::auth module :
https://github.com/boklm/puppet-sshkeys

The main changes in this version are :
 - allow installing the same pubkey into multipe user accounts
 - allow installing multiple key pairs or pubkeys into one account
 - remove use of exported resources, for simplification
 - renaming resources to create_key, set_client_key_pair and
   set_authorized_keys instead of key, client, server because I think
   that''s easier to understand

It''s not using hiera but it looks like a good idea for an improvement.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

This is actually a module I would love to see CURATED by PL, as I believe it is
a great real-world example to demonstrate the current recommendations from which
many people can learn.

The focus is pretty tight, however it could make a lot of people''s
lives easier.
Many community members(1)(2)(3) (and I''m sure there are more) have
mentioned that they''ve taken the time to improve on the existing module
available on the (out of date) wiki(4) for their own needs. With some guidance
and direction those improvements could be merged into a practical and useful
example of some of the more intricate parts of puppet.

There are a lot of modules out there which have found interesting and creative
ways to get from point A to point B. That doesn''t mean that these are
good examples to follow.
I''m not asserting that there is always only ONE "right" way
to do (something)… however there ARE several ways that are certainly NOT the
right way, and discerning the difference is not always easy.
I have been under the impression that puppetlabs modules are as close to living
reference material as it gets. I''d like to see more examples out there,
as I think community modules will show a real increase in both quality, and code
similarity with a stronger authoritative reference base.

In other words, with a little effort on puppetlabs'' part, this could
have the benefit of
- Really increasing the immediately available sexy that puppet can accomplish
out of the box
- Further the community''s proverbial fishing skill
- Increasing the efficiency of module creation, as there will be more
''trusted'' examples to start from
- Theoretically, more of the community''s modules would become
increasingly compatable as there is a greater pool of reference material to
evolve from. This could serve to improve the average quality of modules
available.. ergo moar win.

Thoughts?
(1) https://github.com/boklm/puppet-sshkeys
(2) https://github.com/vurbia/puppet-sshauth
(3) https://github.com/ashleygould/puppet-sshauth
(4)http://projects.puppetlabs.com/projects/1/wiki/Module_Ssh_Auth_Patterns#detailed-usage

On Jan 15, 2013, at 8:56 AM, nicolas vigier <boklm@mars-attacks.org>
wrote:
> On Mon, 14 Jan 2013, Ashley Gould wrote:
>
>>
>> I''ve created a puppet-sshauth repo on github:
>> https://github.com/ashleygould/puppet-sshauth
>>
>> I would very much like to work with others on perfecting this
>> module.  Management of keypairs is really useful.  2 improvements I
>> imagine are using hiera as the keystore and adding ablity to install
>> the same pubkey into multiple user accounts on a single node.
>
> Hello,
>
> I also reworked the ssh::auth module :
> https://github.com/boklm/puppet-sshkeys
>
> The main changes in this version are :
> - allow installing the same pubkey into multipe user accounts
> - allow installing multiple key pairs or pubkeys into one account
> - remove use of exported resources, for simplification
> - renaming resources to create_key, set_client_key_pair and
>   set_authorized_keys instead of key, client, server because I think
>   that''s easier to understand
>
> It''s not using hiera but it looks like a good idea for an
improvement.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>

________________________________

This message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this message.
See http://www.datapipe.com/legal/email_disclaimer/ for further information on
confidentiality and the risks of non-secure electronic communication. If you
cannot access these links, please notify us by reply message and we will send
the contents to you.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Thoughts? 
> (1) https://github.com/boklm/puppet-sshkeys 
> (2) https://github.com/vurbia/puppet-sshauth 
> (3) https://github.com/ashleygould/puppet-sshauth 
> (4)
>
http://projects.puppetlabs.com/projects/1/wiki/Module_Ssh_Auth_Patterns#detailed-usage
>
>
I checked out all of these and I still opted to use the puppet builtin 
ssh_authorized_key and sshkey. Not quite the most powerful, but good enough.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/QPoNr2wYOVAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

hi all,

if you have big storage of public keys (may be of employees) try this one
https://github.com/bazilek/puppet-ssh_key_groups/


On Wed, Jan 23, 2013 at 11:45 PM, Jist Anidiot
<jistanidiot@gmail.com>wrote:
>
> Thoughts?
>> (1)
https://github.com/boklm/**puppet-sshkeys<https://github.com/boklm/puppet-sshkeys>
>> (2)
https://github.com/vurbia/**puppet-sshauth<https://github.com/vurbia/puppet-sshauth>
>> (3)
https://github.com/**ashleygould/puppet-sshauth<https://github.com/ashleygould/puppet-sshauth>
>> (4)http://projects.puppetlabs.**com/projects/1/wiki/Module_**
>>
Ssh_Auth_Patterns#detailed-**usage<http://projects.puppetlabs.com/projects/1/wiki/Module_Ssh_Auth_Patterns#detailed-usage>
>>
>>
> I checked out all of these and I still opted to use the puppet builtin
> ssh_authorized_key and sshkey. Not quite the most powerful, but good
enough.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/QPoNr2wYOVAJ.
>
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>


-- 
Best regards,
Vasil Mikhalenya

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.