Generate user SSH keys on nodes and make public keys available as facts. These
facts can then be collected as exported resources to populate
ssh_authorized_key
resources.
Note that, with this workflow, the agent will have to run twice before the keys are available -- facts are collected before resources are created, so the first time through the keypair will be generated and the second time the public key will be available as a fact.
Note, that, also populating the user_ssh_pubkey
external fact is (currently)
unimplemented.
Facts with the following formats are created, which correspond with the
parameters for the ssh_authorized_key
type:
<username>_ssh(rsa|dsa|ecdsa|ed25519)key
<username>_ssh(rsa|dsa|ecdsa|ed25519)key_comment
<username>_ssh(rsa|dsa|ecdsa|ed25519)key_type
The list of users whose public keys are to be collected as facts is configured
by the user_ssh_pubkey
fact, which can be set using external facts. For
example:
$ cat /etc/facter/facts.d/user_ssh_pubkey.yaml
---
user_ssh_pubkey: jensenb,alice,bob
Type user_ssh_pubkey
can be used to generate DSA or RSA keys on nodes.
Parameters are consistent with parameters for ssh_authorized_key
where
possible.
Currently this is implemented as a Puppet defined type, which results in an
exec
type which runs ssh-keygen
.
Keys are generated with null passphrases.
-
name The SSH key comment. Ideally this would be something like "$user/ssh-$type@$::fqdn"; if so, the user and type parameters can be left unspecified.
-
user namevar The user in whose home directory to create the key.
-
target The absolute filename base to store the private and public keys in. This parameter should generally be avoided, as it breaks the facts.
-
type The key type: "dsa", "rsa", "ecdsa", "ed25519". Note that semantics of this parameter are different from the
*_type
fact and "type" parameter forssh_authorized_key
. -
user The user account in which the SSH key should be generated.
-
bits The number of bits in the key. See
ssh-keygen(1)
for limits.
For the source or client node, generate an SSH key, collect the fact and
create an exported ssh_authorized_key
resource:
user_ssh_pubkey { "repocloner/ssh-rsa@${::fqdn}": }
file { '/etc/facter/facts.d/user_ssh_pubkey.txt':
ensure => present,
content => "user_ssh_pubkey=repocloner\n",
owner => 'root',
group => 'root',
mode => '0644',
}
if $::repocloner_sshrsakey {
@@ssh_authorized_key { $::repocloner_sshrsakey_comment:
ensure => present,
key => $::repocloner_sshrsakey,
user => 'repocloner',
type => $::repocloner_sshrsakey_type,
tag => [ 'repocloner-ssh-key' ],
}
}
If the client node's name is used in the name (comment) of the
user_ssh_pubkey
, then exported resources from multiple client
nodes can be generated.
For the target or server node, collect the exported resource:
Ssh_authorized_key <<| tag == 'repocloner-ssh-key' |>>
One could also use user
parameter instead of a tag for selecting the
exported resources instead of a tag.
Apache 2.0
Wil Cooley <wcooley(at)nakedape.cc>
Please log tickets and issues at our Github issues.