Managing SSH host private keys
Jonathan Gazeley
I already use Puppet to collect and distribute SSH host public keys
between machines I manage. I now want to collect private host keys from
each node and store them on the puppetmaster, so when I rebuild a node
it receives the same key.
Is there an easy way of doing this?
Thanks,
Jonathan
Matt Zagrabelny
On Thu, Jan 26, 2012 at 5:40 AM, Jonathan Gazeley
<jonathan...@bristol.ac.uk> wrote:
> Hi all,
>
> I already use Puppet to collect and distribute SSH host public keys between
> machines I manage. I now want to collect private host keys from each node
> and store them on the puppetmaster, so when I rebuild a node it receives the
> same key.
Sure.
> Is there an easy way of doing this?
I don't know about "easy", but here is what I am doing:
Set up a "private" fileserver for your nodes. This is where I put
sensitive node data (like ssh host keys). Then configure your manifest
to pull in the files from there. Here are some of the relevant files:
$ cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom
# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
[files]
path /etc/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[plugins]
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[private]
path /etc/puppet/private/%h
allow *
$ cat /etc/puppet/modules/ssh/manifests/init.pp
class ssh::install {
package { "ssh":
ensure => present,
}
}
class ssh::service {
service { "ssh":
ensure => running,
enable => true,
hasrestart => true,
require => Class["ssh::install"],
}
}
class ssh::config($sshd_config_source =
"puppet:///modules/ssh/etc/ssh/sshd_config") {
file { "/etc/ssh/sshd_config":
owner => "root",
group => "root",
mode => 0644,
source => $sshd_config_source,
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key":
owner => "root",
group => "root",
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key.pub":
owner => "root",
group => "root",
mode => 0644,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key":
owner => "root",
group => "root",
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key.pub":
owner => "root",
group => "root",
mode => 0644,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
}
class ssh($sshd_config_source = "puppet:///modules/ssh/etc/ssh/sshd_config") {
include ssh::install, ssh::service
class { "ssh::config": sshd_config_source => $sshd_config_source }
}
$ ls -alh /etc/puppet/private/nodehostname/etc/ssh
total 24K
drwxr-xr-x 2 root root 4.0K Jan 18 11:35 .
drwxr-xr-x 5 root root 4.0K Jan 18 11:35 ..
-rw-r--r-- 1 root root 668 Jan 18 11:35 ssh_host_dsa_key
-rw-r--r-- 1 root root 598 Jan 18 11:35 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 1.7K Jan 18 11:35 ssh_host_rsa_key
-rw-r--r-- 1 root root 390 Jan 18 11:35 ssh_host_rsa_key.pub
HTH,
-Matt Zagrabelny
--
"This space was intentionally left blank as to not advertise to you
what cellular provider nor what iDevice was used to send you an
email."
Jonathan Gazeley
> I don't know about "easy", but here is what I am doing:
Thanks Matt, that's helpful.
This addresses how to distribute keys to node from the fileserver, but I
wonder if there is a mechanism where if the key doesn't exist on the
fileserver, the key that currently exists on the node is pulled in and
saved for future reference - i.e. when new nodes are created.
I'm trying to avoid any situation where I have to remember to do
anything manually, you see. It always leads to failure down the line!
Cheers,
Jonathan
Matt Zagrabelny
I think the consensus is that puppet drives the state of a node. It is
somewhat unconventional to have the node drive the state of the node.
Remember, there is always some amount of manual stuff to do.
1) Install the OS (or clone your VM.)
2) Set the IP/hostname
3) Install puppet
4) Have the puppetmaster sign the cert
Adding on scp'ing the host keys to your puppetmaster isn't too big of a deal.
-mz
Jonathan Gazeley
> On Thu, Jan 26, 2012 at 9:35 AM, Jonathan Gazeley
> <jonathan...@bristol.ac.uk> wrote:
>> On 26/01/12 15:22, Matt Zagrabelny wrote:
>>>
>>> I don't know about "easy", but here is what I am doing:
>>
>>
>> Thanks Matt, that's helpful.
>>
>> This addresses how to distribute keys to node from the fileserver, but I
>> wonder if there is a mechanism where if the key doesn't exist on the
>> fileserver, the key that currently exists on the node is pulled in and saved
>> for future reference - i.e. when new nodes are created.
>>
>> I'm trying to avoid any situation where I have to remember to do anything
>> manually, you see. It always leads to failure down the line!
>
> I think the consensus is that puppet drives the state of a node. It is
> somewhat unconventional to have the node drive the state of the node.
>
> Remember, there is always some amount of manual stuff to do.
>
> 1) Install the OS (or clone your VM.)
> 2) Set the IP/hostname
> 3) Install puppet
> 4) Have the puppetmaster sign the cert
>
> Adding on scp'ing the host keys to your puppetmaster isn't too big of a deal.
OK. I just wondered if there was an equivalent way of using exported
resources for private keys, similar to this for public keys:
@@sshkey { $fqdn: type => rsa, key => $sshrsakey }
I'll have a think.
Thanks,
Jonathan
Stephen Jahl
> This addresses how to distribute keys to node from the fileserver, but I wonder if there is a mechanism where if the key doesn't exist on the fileserver, the key that currently exists on the node is pulled in and saved for future reference - i.e. when new nodes are created.
I believe a filebucket is what you are looking for:
http://docs.puppetlabs.com/man/filebucket.html
http://docs.puppetlabs.com/references/latest/type.html#filebucket
Should be able to use it to back up your SSH keys during a puppet run.
-Steve
krish
>>
>> 1) Install the OS (or clone your VM.)
>> 2) Set the IP/hostname
>> 3) Install puppet
>> 4) Have the puppetmaster sign the cert
>>
Meh :P .. If you're using a Xen environment, we've taken care of this
part already, where a puppet recipe creates a new vm, sets ip addr,
installs puppet and gets the certs signed. So when the new vm boots
its already pulling changes as per its node definition on master :)
We plan to open source the module soon at github :)
--
Krish
olindata.com
Dan White
but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ?
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
Christopher Wood
> I am relatively new to both Puppet and ssh-keys,
> but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ?
This might be one of the places where erb (templates) being evaluated on the puppetmaster will help. I'm just speculating, but there's no technological reason why the puppetmaster shouldn't use erb/ruby to fork ssh-keygen and store the result in some local directory. The puppet template can either create a private key, or copy in the results of a previous ssh-keygen run.
I don't see technical obstacles, only security obstacles. You may not want all your ssh private keys stored in one place, for instance.
> “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
> Bill Waterson (Calvin & Hobbes)
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>
Ygor
wrote:
> > I am relatively new to both Puppet and ssh-keys,
> > but is it possible for the PuppetMaster to generate all the keys rather that each client creating their own ?
>
> This might be one of the places where erb (templates) being evaluated on the puppetmaster will help. I'm just speculating, but there's no technological reason why the puppetmaster shouldn't use erb/ruby to fork ssh-keygen and store the result in some local directory. The puppet template can either create a private key, or copy in the results of a previous ssh-keygen run.
>
> I don't see technical obstacles, only security obstacles. You may not want all your ssh private keys stored in one place, for instance.
>
kept current and separate - and possibly in multiple locations.
Any other security considerations one should consider ?
In my current workplace, ssh keys are used for remote machine logins
and the individual user is responsible for maintaining their own
private key.
I am not completely happy with this arrangement, and I am looking for
information to use to make some intelligent suggestions for change.