Skip to content

GeoffWilliams/sshkeys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
.librarian/puppet
.librarian/puppet
 
 
.pdqtest
.pdqtest
 
 
doc
doc
 
 
examples
examples
 
 
lib/puppet/functions/sshkeys
lib/puppet/functions/sshkeys
 
 
manifests
manifests
 
 
spec
spec
 
 
.ci_custom.sh
.ci_custom.sh
 
 
.fixtures.yml
.fixtures.yml
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.pdkignore
.pdkignore
 
 
.puppet-lint.rc
.puppet-lint.rc
 
 
.rspec
.rspec
 
 
.sync.yml
.sync.yml
 
 
.travis.yml
.travis.yml
 
 
Gemfile
Gemfile
 
 
Gemfile.lock
Gemfile.lock
 
 
Makefile
Makefile
 
 
Puppetfile.lock
Puppetfile.lock
 
 
README.md
README.md
 
 
REFERENCE.md
REFERENCE.md
 
 
Rakefile
Rakefile
 
 
appveyor.yml
appveyor.yml
 
 
bitbucket-pipelines.yml
bitbucket-pipelines.yml
 
 
make.ps1
make.ps1
 
 
metadata.json
metadata.json
 
 

Repository files navigation

sshkeys

Build Status

Table of Contents

  1. Description
  2. Features
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Overview

Provides several methods for generation, distribution and authorization of SSH keys

Features

Per-user management of:

  • ~/.ssh
  • ~/.ssh/id_rsa
  • ~/.ssh/id_rsa.pub
  • ~/.ssh/known_hosts
  • ~/.ssh/authorized_keys
  • ~/.ssh/some_other_key (sshkeys::install_keypair only)
  • ~/.ssh/some_other_key.pub (sshkeys::install_keypair only)

Usage

There are two methods of operation (consult REFERENCE for detailed instructions):

Manual management

Create files with known data sourced from Puppet (Hiera, files from modules, etc):

  • sshkeys::manual

Suggested uses:

  • Distributing known keys for sysadmins
  • Enabling logins from applications using a known key

Generation

Generate files as needed (will be stored on the Puppet Master in /etc/puppetlabs/puppetserver/sshkeys):

  • sshkeys::authorize
  • sshkeys::install_keypair
  • sshkeys::known_host

Suggested uses:

  • SSH being used as a transport mechanism where the value of the key itself is immaterial and limited in scope, with all parties under puppet control. A good example of this would be rsync between puppet nodes and this is what the module was originally written for.

Important

Since SSH keys are stored on the master when using generation methods, this weakens security somewhat vs how PKIs are intended to work. This can be mitigated by applying the principle of least privilege to accounts that use keys in this way. Also if your Puppet Master is compromised, its game over anyway. Be sure your comfortable with this before using.

Note SSH Keys are read from and generated on the Puppet Master using the sshkeys::sshkey function that ships with this module. When running Puppet in apply mode, the user running the function will normally be root however in agent mode the user would be pe-puppet or equivalent. This prevents us creating files in /etc as pe-puppet has no ability to write there. Instead, we create our own directory at /etc/puppetlabs/puppetserver/sshkeys. Since /etc/puppetlabs/puppetserver is writable by pe-puppet, we are able to write files to this location.

Setup Requirements

  • Requires all SSH packages are already installed

Limitations

  • Tested on Debian and Ubuntu
  • If generation is used, SSH keys will be stored on the master
  • Only one copy of a given key can be installed per-node when using sshkeys::install_keypair

Development

PRs accepted :)

Testing

This module supports testing using PDQTest.

Test can be executed with:

bundle install
make

See .travis.yml for a working CI example

About

ssh key generation and distribution with puppet

Resources

Readme
Activity

Stars

3 stars

Watchers

5 watching

Forks

4 forks
Report repository

Releases

9 tags

Packages

No packages published

Languages