Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Implement storing ssh keys for users in separate pillar files #224

Open
MurzNN opened this issue Mar 8, 2021 · 2 comments
Open

Comments

@MurzNN
Copy link

MurzNN commented Mar 8, 2021

Is your feature request related to a problem?

In pillar.example there are example how to read keys from state files:

    ssh_keys:
      # or you can provide path to key on Salt fileserver
      privkey: salt://path_to_PRIVATEKEY
      pubkey: salt://path_to_PUBLICKEY

But storing private keys in state files is insecure, for example here is recommendation to not do this.
And most of users will follow that example, without understanding the security risks when store private keys as files into state storage.

Also filling long private key text inside yaml is not good solution too, because operating with separate files is much more universal (eg for regenerating, reusing in other scripts).

Describe the solution you'd like

For solve this problem will be good to implement reading contents if ssh keys from file inside pillar structure.

Here is feature request about build-in support for this in SaltStack, so we could use something like this:

    ssh_keys:
      # or you can provide path to key on Salt fileserver
      privkey: pillar://path_to_PRIVATEKEY
      pubkey: pillar://path_to_PUBLICKEY

but it is closed with recommendation to use salt.pillar.file_tree, that isn't suitable for current task.

So, is it possible to implement this feature in users-formula itself? Or maybe you can provide some workaround for this?

Describe alternatives you've considered

Some alternatives are provided in issues saltstack/salt#18406, saltstack/salt#3790 and saltstack/salt#1543 but they isn't good.

@MurzNN
Copy link
Author

MurzNN commented Mar 8, 2021

Here https://github.com/saltstack-formulas/nginx-formula/blob/master/pillar.example#L291 is example how this is implemented in nginx-formula:

  certificates:
    'www.example.com':

      # choose one of: deploying this cert by pillar (e.g. in combination with
      # ext_pillar and file_tree)
      # public_cert_pillar: certs:example.com:fullchain.pem
      # private_key_pillar: certs:example.com:privkey.pem

And here is the code that implement this: https://github.com/saltstack-formulas/nginx-formula/blob/cb98ed05c69af62c32e4b780498421cf4bdd2856/nginx/certificates.sls#L58-L62

@MurzNN
Copy link
Author

MurzNN commented Mar 8, 2021

At now I composed this workaround for store keys in separate plain files:

users:
  alice:
    ssh_keys:
      {%- import_text 'ssh-keys/alice_rsa' as ssl_cert %}
      privkey: |
        {{ ssl_cert|indent(8) }}
      {%- import_text 'ssh-keys/alice_rsa_pub' as ssl_cert_pub %}
      pubkey: |
        {{ ssl_cert_pub|indent(8) }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant