SSH Keys
13 views
Skip to first unread message
sysboy
Nov 17, 2009, 7:02:47 AM11/17/09
to Puppet Users
Hi all,
I want to use puppet to distribute keys to multiple users. I wanted
to do something like we have already:
- define a key per real person
- define groups containing several keys, people can be in multiple
groups
- deploy these groups of keys to specific users
however it looks like the ssh_authorized_key resource ties a key and a
user together so it looks like I fall at the first hurdle:
@ssh_authorized_key { "joe.bloggs":
ensure => "present",
key =>"AAAAB....=",
type => "ssh-rsa",
user => "root" <<<<< I don't want this
}
I was hoping to realize a groups of these keys and somehow tie them to
users. Any ideas?
I want to use puppet to distribute keys to multiple users. I wanted
to do something like we have already:
- define a key per real person
- define groups containing several keys, people can be in multiple
groups
- deploy these groups of keys to specific users
however it looks like the ssh_authorized_key resource ties a key and a
user together so it looks like I fall at the first hurdle:
@ssh_authorized_key { "joe.bloggs":
ensure => "present",
key =>"AAAAB....=",
type => "ssh-rsa",
user => "root" <<<<< I don't want this
}
I was hoping to realize a groups of these keys and somehow tie them to
users. Any ideas?
seph
Nov 23, 2009, 9:06:28 AM11/23/09
to puppet...@googlegroups.com
You could do something with a define. But I'm not really sure what your
use case is. Can you give an example?
seph
> --
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
use case is. Can you give an example?
seph
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=.
sysboy
Nov 23, 2009, 9:40:32 AM11/23/09
to Puppet Users
I currently have something set up for users like this:
virt_users.pp
class virt_my_users {
@user { "user1":
ensure => "present",
uid => "1001",
gid => "users",
comment => "user1",
home => "/home/user1",
shell => "/bin/bash"
}
@user { "user2":
ensure => "present",
uid => "1002",
gid => "users",
comment => "user2",
home => "/home/user2",
shell => "/bin/bash"
}
}
users.pp
class prod_users {
include virt_my_users
realize(
Group["users"],
User["user1"],
User["user2"],
)
}
site.pp
node host1 inherits default {
include prod_users
}
And I wanted to do something similar with the keys, defining the keys
for everyone in one place and then using it for several users on
multiple nodes. For instance the postgres user on some nodes might
have keys from developers and dba's but only a limited number of
people in the production environment.
All this is currently managed with some sh/awk scripts. We basically
have a file with a key. These keyfiles are grouped up into something
legible such as 'sysadmins' or 'dbas'. Then we have a node definition
containing the users on that node and the groups of keys to be
deployed to the users.
Ideally I would like something where I could have
node host1 inherits default {
include prod_users
}
class prod_users {
realize User['user1']
realize Sshkeys['user1'] # this bit would expand the groups of
keys and deploy them to user1
}
Hope that makes some sense to people :) I always have the option of
leaving the sh/awk solution as is so it's not top on my list but it
would be nice to manage everything from one place.
virt_users.pp
class virt_my_users {
@user { "user1":
ensure => "present",
uid => "1001",
gid => "users",
comment => "user1",
home => "/home/user1",
shell => "/bin/bash"
}
@user { "user2":
ensure => "present",
uid => "1002",
gid => "users",
comment => "user2",
home => "/home/user2",
shell => "/bin/bash"
}
}
users.pp
class prod_users {
include virt_my_users
realize(
Group["users"],
User["user1"],
User["user2"],
)
}
site.pp
node host1 inherits default {
include prod_users
}
And I wanted to do something similar with the keys, defining the keys
for everyone in one place and then using it for several users on
multiple nodes. For instance the postgres user on some nodes might
have keys from developers and dba's but only a limited number of
people in the production environment.
All this is currently managed with some sh/awk scripts. We basically
have a file with a key. These keyfiles are grouped up into something
legible such as 'sysadmins' or 'dbas'. Then we have a node definition
containing the users on that node and the groups of keys to be
deployed to the users.
Ideally I would like something where I could have
node host1 inherits default {
include prod_users
}
class prod_users {
realize User['user1']
realize Sshkeys['user1'] # this bit would expand the groups of
keys and deploy them to user1
}
Hope that makes some sense to people :) I always have the option of
leaving the sh/awk solution as is so it's not top on my list but it
would be nice to manage everything from one place.
seph
Nov 24, 2009, 12:25:45 PM11/24/09
to puppet...@googlegroups.com
> class prod_users {
> realize User['user1']
> realize Sshkeys['user1'] # this bit would expand the groups of
> keys and deploy them to user1
> }
I'm still a bit confused, but what I can help you.
> realize User['user1']
> realize Sshkeys['user1'] # this bit would expand the groups of
> keys and deploy them to user1
> }
I define a bunch of users in user::virtual, along side said users I
define their keys. Some users have more than 1 key. (seph-2008-laptop,
seph-2009-desktop, for example)
Then I have things like this:
class user::unixadmins inherits user::virtual {
User <| title == seph |>
Ssh_authorized_key <| user == seph |>
}
It works well enough, but it's not perfect. I haven't really figured out
how to cleanly say "let seph use his keys to login as user deploy" so
I'm punting that part for now.
seph
Reply all
Reply to author
Forward
0 new messages