Managing ssh server's keys?

[Jakov Sosic]

Hi.

I'm wondering is there a way to manage ssh servers, in a way that every
machine has it's own key?

I'm talking about these files:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub


Ideally I would like to have a module that replaces those files with
files from puppet server, for specific host, if they are available, and
if not, then to gather them from the client.

I think this is not possible, so is there some sensible way to manage
those files in a different fashion? Holding every file under:

/etc/puppet/files/ssh/<%= hostname =>

is a possibilty, but if someone has done this already I would appretiate
some hints.


I'm trying to set up persistent ssh server keys across reinstallations
of hosts...


--
Jakov Sosic
www.srce.unizg.hr

[Matt Zagrabelny]

On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic <jso...@srce.hr> wrote:
> Hi.
>
> I'm wondering is there a way to manage ssh servers, in a way that every
> machine has it's own key?

I've used the "private" file server mechanism to serve out node sensitive files.

The following snippet shows this:

class ssh::config($sshd_config_source =
"puppet:///modules/ssh/etc/ssh/sshd_config") {
file { "/etc/ssh/sshd_config":
source => $sshd_config_source,
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/pam.d/sshd":
source => "puppet:///modules/ssh/etc/pam.d/sshd",
require => [ Class["ssh::install"], Class["libpam_radius_auth"] ],
}
file { "/etc/ssh/ssh_host_dsa_key":
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key.pub":
source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key":
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key.pub":
source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
}

-mz

[Chad Huneycutt]

Take a look at https://github.com/gtcoc/sshkeys for an idea. It isn't
documented well (yet), so here are some rough notes:

* the module assumes you are using hiera to supply default arguments.
you can see the default values in the hieradata directory
* the sshkeys::hostkeys class best shows how it works:
+ the master makes a call (via generate) to a perl script (sshkeys.pl)
+ the perl script either retrieves or generates a new key for the host
* assuming you set up hiera properly (or otherwise specify default
parameter values), I think all you should need to use this is:

on the puppet master: include sshkeys::install

and on the nodes: include sshkeys::hostkeys

* if you want to distribute the keys into a known_hosts file, then you
have to set up a file serving location for the file and pull it down.
I created a module that I use for serving various files in our
environment, and I set the parameter
'sshkeys::install::knownhosts_servedir' to put the file in the proper
place. Then on all of my hosts I add a file resource:

file { '/etc/ssh/ssh_known_hosts':
source => 'puppet:///modules/ccfiles/ssh_known_hosts',
mode => '0444',
owner => 'root',
group => 'root',
}

Hope that helps,
Chad

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>



--
Chad M. Huneycutt

[Jakov Sosic]

On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:

> file { "/etc/ssh/ssh_host_rsa_key.pub":
> source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",

I didn't know about this one, do I need any special configuration of the
puppetmaster for this to work, or is this a builtin?

[Matt Zagrabelny]

Hi Jakov,

Here is my fileserver.conf:

root@puppet:/etc/puppet# cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom

# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
[files]
path /etc/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24

[plugins]
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24

[private]
path /etc/puppet/private/%h
allow *


You would then put stuff at:

/etc/puppet/private/node-01/etc/ssh/ssh_host_rsa_key
.
.
etc.

When node-01 connects your puppetmaster, it can only "see" its private
file space.

-mz

[Tim Mooney]

In regard to: Re: [Puppet Users] Managing ssh server's keys?, Matt...:

> Here is my fileserver.conf:

> [private]
> path /etc/puppet/private/%h
> allow *

FWIW, we're handling ssh keys and other sensitive full-file content nearly
identically, although we we chose "/secure" rather than "/private" and we're
using %H (fqdn) rather than %h (short host name).

Tim
--
Tim Mooney Tim.M...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

[Jakov Sosic]

On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:

> On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic <jso...@srce.hr> wrote:
>> Hi.
>>
>> I'm wondering is there a way to manage ssh servers, in a way that every
>> machine has it's own key?
>
> I've used the "private" file server mechanism to serve out node sensitive files.

Thank you for the idea. Now only problem that is left is how to call a
script to generate keys if files are not accessible in private section :-/

I know one can do something like this:

file { '/etc/ssh/ssh_host_rsa_key.pub':
ensure => file,
mode => 0644,

source => [
'puppet:///private/etc/ssh/ssh_host_rsa_key.pub',

'puppet:///modules/sshd/ssh_host_rsa_key.pub',
],
require => Package['openssh-server'],
notify => Service['sshd'],
}

and put some blank default files in there, but I would much prefer to
build the keys if they are not there, and I presume I need some puppet
magic here :-/

Any ideas?

[Matt Zagrabelny]

Part of our server bootstrapping process is to copy over the ssh keys
to the puppetmaster after puppet has installed openssh-server.

As far as generating the keys, that should be pretty straightforward
using ssh-keygen.

-mz

[Jakov Sosic]

On 11/28/2012 09:10 PM, Matt Zagrabelny wrote:

> Part of our server bootstrapping process is to copy over the ssh keys
> to the puppetmaster after puppet has installed openssh-server.

So how do you do that with puppet? Or you use cobbler/FAI or that kind
of tool for that particular task?

> As far as generating the keys, that should be pretty straightforward
> using ssh-keygen.

I know that but I want to generate it only if keys are not in folder...

[Matt Zagrabelny]

On Wed, Nov 28, 2012 at 2:14 PM, Jakov Sosic <jso...@srce.hr> wrote:
> On 11/28/2012 09:10 PM, Matt Zagrabelny wrote:
>
>> Part of our server bootstrapping process is to copy over the ssh keys
>> to the puppetmaster after puppet has installed openssh-server.
>
> So how do you do that with puppet? Or you use cobbler/FAI or that kind
> of tool for that particular task?

Copy+paste. Not all of our processes are automated...yet.

>
>> As far as generating the keys, that should be pretty straightforward
>> using ssh-keygen.
>
> I know that but I want to generate it only if keys are not in folder...

Whatever is generating your node manifest (on the master) could also
perform either:

1) scp ssh keys from the node to master
or
2) run ssh-keygen on master

Unless you are using the "default" node, this should work.

-mz

[Jakov Sosic]

On 11/28/2012 09:19 PM, Matt Zagrabelny wrote:

> Whatever is generating your node manifest (on the master) could also
> perform either:
>
> 1) scp ssh keys from the node to master
> or
> 2) run ssh-keygen on master
>
> Unless you are using the "default" node, this should work.

I have an idea about #2. I won't copy keys from nodes, but generate it
on the master if they are not there already.

If I succeed I will post solution.

[Jakov Sosic]

On 11/28/2012 09:19 PM, Matt Zagrabelny wrote:

> Whatever is generating your node manifest (on the master) could also
> perform either:
>
> 1) scp ssh keys from the node to master
> or
> 2) run ssh-keygen on master
>
> Unless you are using the "default" node, this should work.

OK I've found elegant way to do it. Basicly this is what I do:

class ssh::server {
...
...
if generate('/etc/puppet/modules/ssh/scripts/generate_host_keys.sh',
$keys_dir) {
include ssh::server::keys
}

...
...
}

class ssh::server::keys {
file { '/etc/ssh/ssh_host_dsa_key':
...
...
file { '/etc/ssh/ssh_host_rsa_key':
...
...
}


And generate script looks like this:

#!/bin/bash

# check arg0: dir for keys
[ -z "$1" ] && echo "Please specify directory for key generation" && exit 1
KEYSDIR="$1"

# set umask
umask 0022

# create directory tree if it does not exist
[ ! -d "$KEYSDIR" ] && mkdir -p $KEYSDIR

do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen


chmod -R 640 $KEYSDIR/*
exit 0


do_rsa1/do_rsa/do_dsa are bash functions that I got from
/etc/init.d/sshd on CentOS 6... And it works like a charm! First puppet
run, keys are generated, and put into "private" section under fqdn's
dir, and propagated to client, and that's it. After reinstallation of
the client, files are already in private, so they won't be regenerated.