The sshkeys puppet module allow the creation and installation of ssh keys.
With the sshkeys module, you define a key that will be generated on the puppet master. You define where this key should be installed, for the client key pair, and for the authorized_keys.
When the key has not been generated yet, you may need to run puppet twice. The key will be generated on the first run, and installed on the second run.
It is also possible to configure pre-defined ssh keys by passing them as parameters to the main class.
In order to tell which node will generate the keys, you need to include the sshkeys::keymaster class on the puppet master node:
include sshkeys::keymaster
Before installing the key, we need to create it. This is done with the create_key ressource, on the puppet master node. We can create the key key1:
sshkeys::create_key{key1: }
If we want to install the key1 key pair for user user1, we can use the set_client_key_pair ressource:
sshkeys::set_client_key_pair{'key1-for-user1':
keyname => 'key1',
home => '/home/user1',
user => 'user1',
}
The key1 private and public keys should now be installed for user user1 on the node on which we created this ressource.
If we want to allow the key key1 to connect to the user2 account, we use the set_authorized_keys ressource:
sshkeys::set_authorized_keys{'key1-to-user2':
keyname => 'key1',
user => 'user2',
home => '/home/user2',
}
Now, user1 should have the key1 key pair installed on his account, and be able to login to the user2 account.
sshkeys::automatic_keys:
snoopy@kennel:
user: charlesbrown
This will generate a key pair, install the private key on the hostn named "kennel" in Snoopy's home directory, and add the public key to the authorized_keys file on the host you're applying the sshkeys module on with this hiera data.
Optionally you can customise the home directories of both client key pair, and the authorized_keys user:
sshkeys::automatic_keys:
snoopy@kennel:
user: charlesbrown
home: /home/human/charles
client_home: /users/snoopy
Make sure to keep the client_home setting consistent across your environment though, if you want to install the public key in more than one place. If not, a duplicate resource warning will be triggered as a safeguard!
This is best done using Hiera.
Parametrizing the sshkeys class in Hiera:
sshkeys::manual_keys:
just_a_name:
user: odie
key: jon@jukebox
This will fetch the (rsa, by default) key named "jon@jukebox" from hiera, and install it in the authorized_keys file of the user "odie" on every node that this hiera yaml file applies to. The name "just_a_name" is arbitrary.
It is easiest to put:
jon@jukebox: "AAAa254BCDCBCC...poiuyt"
(without key types and all that) in hiera at the top level, so you can use them anywhere in your hierarchy.
This module is released under the GNU General Public License version 3: http://www.gnu.org/licenses/gpl-3.0.txt
The sshkeys module is based on the ssh::auth module written by Andrew E. Schulman <andrex at alumni dot utexas dot net>.
The original ssh::auth module is available at this URL : http://projects.puppetlabs.com/projects/1/wiki/Module_Ssh_Auth_Patterns