Key Formats used in Master / Minions
109 views
Skip to first unread message
monosij...@gmail.com
Mar 28, 2015, 1:26:15 PM3/28/15
to salt-...@googlegroups.com
In trying out Saltstack and trying out keys I am realizing that SaltStack requires public keys only to be in a specific format that can only:
begin with the header:
-----BEGIN PUBLIC KEY-----
and end with:
-----END PUBLIC KEY-----
... n the OpenSSH standard, but which version?
Also read the following posts:
...
The normal RSA public key using ssh-keygen does not have the header / footer and begins with ssh-rsa and just does not work.
I am generating RSA keys with ssh-keygen and then even converting them too the PEM format using:
ssh-keygen -f $fileName.pub -e -m pem > $fileName.pubpem
which has the header / footer:
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
However, even this PEM format does not work.
And I have been working with the stable and git/develop versions of Master / Minions.
Just wondering if this is being addressed - or if we only need to work with certain types of keys. And what are they, since this is an integral part of Master / Minions working together.
I have been looking for some documentation on exactly what type / format of keys will work for SaltStack and what will not. I assume I am missing something just very obvious?
If someone could please let me know what I may be missing (documentation, ssh key concepts perhaps?, naming conventions?) will be much appreciated.
Thank you.
Mono
Stephen Spencer
Mar 31, 2015, 9:09:50 AM3/31/15
to salt-...@googlegroups.com
They are standard PEM-encoded RSA key pairs by way of M2Crypto by way of OpenSSL.
What are you trying to accomplish?
-S
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
monosij...@gmail.com
Mar 31, 2015, 11:29:52 AM3/31/15
to salt-...@googlegroups.com
Stephen -
I am trying to preseed the master / minions from Vagrant, rather than auto-accept keys.
So I generate my own keys on Ubuntu using ssh-keygen - private/public keys and convert the public key to a pem format as well.
However this key format does not take.
So I wanted to find out how to generate keys on Linux to be able to preseed keys. Use OpenSSL?
Thanks.
Mono
Arnold Bechtoldt
Mar 31, 2015, 11:34:26 AM3/31/15
to salt-...@googlegroups.com
Have you read
<http://docs.saltstack.com/en/latest/topics/tutorials/preseed_key.html>?
Arnold
--
Arnold Bechtoldt
Karlsruhe, Germany
On 31.03.15 17:29, monosij...@gmail.com wrote:
> Stephen -
>
> I am trying to preseed the master / minions from Vagrant, rather than
> auto-accept keys.
>
> So I generate my own keys on Ubuntu using ssh-keygen - private/public
> keys and convert the public key to a pem format as well.
>
> However this key format does not take.
>
> So I wanted to find out how to generate keys on Linux to be able to
> preseed keys. Use OpenSSL?
>
> Thanks.
>
> Mono
>
> On Tuesday, March 31, 2015 at 9:09:50 AM UTC-4, Stephen Spencer wrote:
>
> They are standard PEM-encoded RSA key pairs by way of M2Crypto by
> way of OpenSSL.
>
> What are you trying to accomplish?
>
> -S
>
> *
> *begin with the header*:
> -----BEGIN PUBLIC KEY-----
> *and end with*:
> https://github.com/saltstack/salt/issues/6277
> it, send an email to salt-users+...@googlegroups.com <javascript:>.
<http://docs.saltstack.com/en/latest/topics/tutorials/preseed_key.html>?
Arnold
--
Arnold Bechtoldt
Karlsruhe, Germany
On 31.03.15 17:29, monosij...@gmail.com wrote:
> Stephen -
>
> I am trying to preseed the master / minions from Vagrant, rather than
> auto-accept keys.
>
> So I generate my own keys on Ubuntu using ssh-keygen - private/public
> keys and convert the public key to a pem format as well.
>
> However this key format does not take.
>
> So I wanted to find out how to generate keys on Linux to be able to
> preseed keys. Use OpenSSL?
>
> Thanks.
>
> Mono
>
> On Tuesday, March 31, 2015 at 9:09:50 AM UTC-4, Stephen Spencer wrote:
>
> They are standard PEM-encoded RSA key pairs by way of M2Crypto by
> way of OpenSSL.
>
> What are you trying to accomplish?
>
> -S
>
> On Mar 28, 2015 11:26 AM, <monosij...@gmail.com <javascript:>> wrote:
>
>
> In trying out Saltstack and trying out keys I am realizing that
> SaltStack requires public keys only to be in a specific format
> that can only:
> *
>
>
> In trying out Saltstack and trying out keys I am realizing that
> SaltStack requires public keys only to be in a specific format
> that can only:
> *
> *begin with the header*:
> -----BEGIN PUBLIC KEY-----
> *and end with*:
> -----END PUBLIC KEY-----
>
> ... n the OpenSSH standard, but which version?
>
> Also read the following posts:
> https://github.com/saltstack/salt/issues/1543
> <https://github.com/saltstack/salt/issues/1543>
>
> ... n the OpenSSH standard, but which version?
>
> Also read the following posts:
> https://github.com/saltstack/salt/issues/1543
> https://github.com/saltstack/salt/issues/6277
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com
> <mailto:salt-users+...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com
monosij...@gmail.com
Mar 31, 2015, 11:43:17 AM3/31/15
to salt-...@googlegroups.com
Hi Arnold -
I had read that. But I wanted to use non-SaltStack utils (as in OS/Linux available utils) to manage my keys.
Then I would like SaltStack to use those keys. Not SaltStack give me the keys.
So I was using ssh-keygen - but those keys don't take on SaltStack.
I will try OpenSSL, but not sure if they will take either or how to best generate with OpenSSH for SaltStack.
I hope I am reading the docs right.
Thanks.
Mono
> <mailto:salt-users+unsub...@googlegroups.com>.
Stephen Spencer
Mar 31, 2015, 7:16:46 PM3/31/15
to salt-...@googlegroups.com
There is also a new salt-cloud provider called "saltify" that uses the 'cloud bootstrap process to "salt" an "unsalted" (bland?) host. I've been using that for my local dev vms. They aren't managed by vagrant--just host snapshots but the principle is the same. Its somewhat more straightforward to get going than the previously mentioned preseeding mechanism.
There is a salt wheel module to deal with key management functions, so all you'd need would be a venv with saltstack + deps to generate the keys yourself.
-S
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
Monosij Dutta-Roy
Apr 3, 2015, 12:02:17 AM4/3/15
to salt-...@googlegroups.com
Hi Stephen -
Regards SSH keys, the SSH did not work and neither did keys I generated using OpenSSL without passphrase:
openssl genrsa -out $fileName.pem 4096
openssl rsa -in $fileName.pem -pubout -out $fileName.pub
I assume these keys should work if not the SSH keys?
I would like to manage keys from a base linux system using tools such as ssh-keygen or openssl.
But these OpenSSL keys don't work although they are exactly the same as the keys I had been using here:
The keys in this directory were 2 keys generated from Salt when I first started and duplicated to rename for different machines.
However the OpenSSL keys do not work and of course neither do the SSH keys.
Are both supposed to work? It seems you are OpenSSL only and not SSH keys? Although it took me some time to figure this out.
Thank you.
--
You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/5uo-jNKw9Sc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.
Joseph Hall
Apr 3, 2015, 10:26:06 AM4/3/15
to salt-...@googlegroups.com
Currently, PyCrypto and M2Crypto are used to manage keys and encryption in Salt, using the ZMQ transport (RAET uses libsodium). The pub/priv keypair are just RSA keys with a size of at least 2048. The format is:
-----BEGIN RSA PRIVATE KEY-----
<KEY CONTENTS>
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
<KEY CONTENTS>
-----END PUBLIC KEY-----
Salt manages these keys by itself. When a new master or minion spins up, it will auto-generate keys. A notable exception is Salt Cloud, which generates keys for a new minion before it is created, and then moves them into place itself. Example code for key creation can be found in salt/utils/cloud.py, in the gen_keys() function.
Since Salt Cloud is a well-known use case of key management outside of Salt's built-in management, it doesn't surprise me to hear that there are other use cases out there. Perhaps if you could give more detail about your use case (even just at a high level), the community would be better equipped to help.
"In order to create, you have to have the willingness, the desire to be challenged, to be learning." -- Ferran Adria (speaking at Harvard, 2011)
Monosij Dutta-Roy
Apr 3, 2015, 2:24:40 PM4/3/15
to salt-...@googlegroups.com
Hi Joseph -
The OpenSSL keys I generate without passphrase now work.
With passphrase was giving an error - Salt just crashes out during install from Vagrant. Also happens with SSH keys.
But as I mentioned in this post I am getting other errors with highstate.
Thank you.
Mono
Reply all
Reply to author
Forward
0 new messages