Managing SSH keys with Salt

4,330 views
Skip to first unread message

Corey Quinn

unread,
Feb 12, 2013, 7:32:04 PM2/12/13
to salt-...@googlegroups.com
So I have a salt state file.

It looks like this:

cquinn:
  group:
    - present
    - gid: 1500
  user:
    - present
    - shell: /bin/bash
    - uid: 1500
    - gid: 1500
    - home: /home/cquinn
    - groups:
      - sudo
    - require:
      - group: cquinn
  file:
    - directory
    - name: /home/cquinn
    - user: cquinn
    - group: cquinn
    - mode: 755
    - makedirs: True
    - require:
      - user: cquinn
cquinn-rsa:
  ssh_auth:
    - present
    - user: cquinn
    - enc: rsa
    - names:
      -  AAAAB3NzaC1yc2EAAAABIwAAAgEA6p1M3AocqeI5y7YlUXrOwv8U3CgkAp3MhC23+jsf0vakCBzLdpYBYUtH2JKRZS0JtyaGNX/+3kmFrP1zNEQgqT4zmkbren3tj7W7DGtzMnqb4XPFA/8aTbMS64c63CZQcoJcQcFLpg6mrpdCb7FG4gfqtM1SHsvqtw9pUuD/bV1BSFHBTpWlFVIeG5Wh92CajsZm2nI3R5Mn5jmGShFRz70aKS0UhVK4PjDbl+QntCKRbstAyII7ftYlmBo7GgXy/n5UmWejsOjJbEXLnSeXnMNLStZUDWtHwIS/IxYbMPOSklHzTEJiI3K6H5tkJrc5vlP3/QGBh36K16Hlc/2pvTPD9NIzU02t1zI8G6WUo8Ug5L5AhyMoL5BpZMJX9wvDJKpYJkqY3vUlWS6XJiOOaTTgpoQ23sOdMQLZcdSPIZVo0uQxqP2mtP8c/eO5ra0yFMsbBfdAG4OH3k3ujcRS9xcpMZL4fNMWoj3qJHdalOsQazZvOYIkM1YTNShx1NV2CAk/beteiEFc99+EltRAUbA8gvLYyznINOaA0GcJjvz7XvKtEBp4UVGAhYqbOCwJectUroSSji/J3ybfFXsWndMGz1FaerLWihh9j6FhVJJvSAoDb5R34oisCBvrsl9XF1g2sjfjlDe16EW9+RHTMU8ktg7SqJWQFLwVO8RLksU=
    - require:
      - file: /home/cquinn

Unfortunately, the key itself is done as a name, which is huge.  This in turn triggers the verbosity of the salt master when I highstate, meaning that every key I'm managing spits output (in green) for every host it's run upon.  This is VERY wordy.

Is there a better way to set multiple SSH keys for a user in salt without directly controlling the authorized_keys file, which in turn makes me the Key Nazi?  

-- Corey

Nick Davis

unread,
Feb 12, 2013, 9:40:02 PM2/12/13
to salt-...@googlegroups.com
I fail to see the difference between having the keys vs the authorized_key file; you still have all of the keys and are thus the key master. 

Maybe you could just turn down the verbosity of highstate. 
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Corey Quinn

unread,
Feb 12, 2013, 9:41:53 PM2/12/13
to salt-...@googlegroups.com
On Feb 12, 2013, at 6:40 PM, Nick Davis <mrt...@gmail.com> wrote:

I fail to see the difference between having the keys vs the authorized_key file; you still have all of the keys and are thus the key master. 


No, I have a subset of keys.  "Adding another for edge cases" is still doable this way; those by-hand changes by other folks will get stomped at the next highstate.

Maybe you could just turn down the verbosity of highstate. 

Sure, I could do that-- but I'd wind up missing other things I'd like to see.

-- Corey

Avi Marcus

unread,
Feb 13, 2013, 2:08:39 AM2/13/13
to salt-...@googlegroups.com
There's another option:
Rather than printing the key, you can store each key in it's own file (or a group of keys in one file), see http://docs.saltstack.org/en/latest/ref/states/all/salt.states.ssh_auth.html

thatch:
  ssh_auth:
    - present
    - user: root
    - source: salt://ssh_keys/thatch.id_rsa.pub

Perhaps this will solve your logging issue.

-Avi
Reply all
Reply to author
Forward
0 new messages