No password to root account
12 views
Skip to first unread message
Jon Tegner
Apr 5, 2018, 7:38:24 AM4/5/18
to salt-...@googlegroups.com
Hi,
I'm setting up a cluster environment, and goal is to use salt for everything. Specifically there should be passwordless login for root on all nodes. I realize that once the public key is generated this is straigthforward, but how to best include also the generation of the public key?
In principle I would like salt to handle:
On_master:
__if not id_rsa.pub:
____ssh_keygen
__if not salt://tree_to_ahturized_key
____copy_from_/root/.ssh/id_rsa.pub
'*'
__state.highstate (where a state for distributing authorized_key is included).
Is this something best achieved with Orchestrate?
Thanks,
/jon
Raf Czlonka
Apr 5, 2018, 9:17:44 AM4/5/18
to salt-...@googlegroups.com
On Thu, Apr 05, 2018 at 12:38:17PM BST, Jon Tegner wrote:
> Hi,
Hi Jon,
Not sure which way are you trying to automate things - use a single
RSA key and distribute it to all nodes or having separete RSA keys
for each node. Regardless, salt.modules.ssh[0] and salt.states.ssh_auth[1]
come to mind.
P.S. You may want to consider using ECDSA or ED25519[2].
[0] https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.ssh.html
[1] https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html
[2] http://ed25519.cr.yp.to/
> Thanks,
>
> /jon
Regards,
Raf
> Hi,
Hi Jon,
RSA key and distribute it to all nodes or having separete RSA keys
for each node. Regardless, salt.modules.ssh[0] and salt.states.ssh_auth[1]
come to mind.
P.S. You may want to consider using ECDSA or ED25519[2].
[0] https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.ssh.html
[1] https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html
[2] http://ed25519.cr.yp.to/
> Thanks,
>
> /jon
Regards,
Raf
Jon Tegner
Apr 5, 2018, 10:58:46 AM4/5/18
to salt-...@googlegroups.com
Thanks!
At moment I have it set up with a single RSA key being distributed to all nodes, but I have to generate the keys beforehand, and then Salt does the distribution. I would like to incorporate the generation of the key through Salt (in order to get rid of the manual step of generating the keys). Single or separate doesn't matter, the easier the better though...
Regards,
/jon
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/20180405120241.GD71949%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Raf Czlonka
Apr 5, 2018, 11:06:38 AM4/5/18
to salt-...@googlegroups.com
Hi Jon,
If it's a single key you are thinking of using then you only need
to generate it *once* and then simply distribute the public key to
authorized_keys onto all of the nodes.
Am I missing something here?
Cheers,
Raf
> > email to salt-users+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAP5kWAHW%2BBxmCh8fgqx-Z91ae2wengi-k75drcHtSWcK5oLv1w%40mail.gmail.com.
If it's a single key you are thinking of using then you only need
to generate it *once* and then simply distribute the public key to
authorized_keys onto all of the nodes.
Am I missing something here?
Cheers,
Raf
> > To view this discussion on the web visit https://groups.google.com/d/
> > msgid/salt-users/20180405120241.GD71949%40gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
> > msgid/salt-users/20180405120241.GD71949%40gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Salt-users" group.
> To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAP5kWAHW%2BBxmCh8fgqx-Z91ae2wengi-k75drcHtSWcK5oLv1w%40mail.gmail.com.
Jon Tegner
Apr 5, 2018, 11:12:34 AM4/5/18
to salt-...@googlegroups.com
Yes, I know, and it is not a big problem. Just thought it would be more "elegant" if the generation could be done through Salt instead!
Thanks again!
/jon
> > email to salt-users+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/
> > msgid/salt-users/20180405120241.GD71949%40gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/CAP5kWAHW%2BBxmCh8fgqx-Z91ae2wengi-k75drcHtSWcK5oLv1w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/20180405150629.GE71949%40gmail.com.
Reply all
Reply to author
Forward
0 new messages