[Puppet Users] Managing ssh server's keys?

I've used the "private" file server mechanism to serve out node sensitive files.

The following snippet shows this:

class ssh::config($sshd_config_source =
"puppet:///modules/ssh/etc/ssh/sshd_config") {
file { "/etc/ssh/sshd_config":
source => $sshd_config_source,
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/pam.d/sshd":
source => "puppet:///modules/ssh/etc/pam.d/sshd",
require => [ Class["ssh::install"], Class["libpam_radius_auth"] ],
}
file { "/etc/ssh/ssh_host_dsa_key":
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key.pub":
source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key":
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key.pub":
source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
}

-mz

I didn't know about this one, do I need any special configuration of the
puppetmaster for this to work, or is this a builtin?

Hi Jakov,

Here is my fileserver.conf:

root@puppet:/etc/puppet# cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom

# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
[files]
path /etc/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24

[plugins]
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24

[private]
path /etc/puppet/private/%h
allow *


You would then put stuff at:

/etc/puppet/private/node-01/etc/ssh/ssh_host_rsa_key
.
.
etc.

When node-01 connects your puppetmaster, it can only "see" its private
file space.

-mz

FWIW, we're handling ssh keys and other sensitive full-file content nearly
identically, although we we chose "/secure" rather than "/private" and we're
using %H (fqdn) rather than %h (short host name).

Tim

Thank you for the idea. Now only problem that is left is how to call a
script to generate keys if files are not accessible in private section :-/

I know one can do something like this:

file { '/etc/ssh/ssh_host_rsa_key.pub':
ensure => file,
mode => 0644,
source => [
'puppet:///private/etc/ssh/ssh_host_rsa_key.pub',
'puppet:///modules/sshd/ssh_host_rsa_key.pub',
],
require => Package['openssh-server'],
notify => Service['sshd'],
}

and put some blank default files in there, but I would much prefer to
build the keys if they are not there, and I presume I need some puppet
magic here :-/

Any ideas?

Part of our server bootstrapping process is to copy over the ssh keys
to the puppetmaster after puppet has installed openssh-server.

As far as generating the keys, that should be pretty straightforward
using ssh-keygen.

-mz

So how do you do that with puppet? Or you use cobbler/FAI or that kind
of tool for that particular task?


I know that but I want to generate it only if keys are not in folder...

Copy+paste. Not all of our processes are automated...yet.
Whatever is generating your node manifest (on the master) could also
perform either:

1) scp ssh keys from the node to master
or
2) run ssh-keygen on master

Unless you are using the "default" node, this should work.

-mz

I have an idea about #2. I won't copy keys from nodes, but generate it
on the master if they are not there already.

If I succeed I will post solution.

OK I've found elegant way to do it. Basicly this is what I do:

class ssh::server {
...
...
if generate('/etc/puppet/modules/ssh/scripts/generate_host_keys.sh',
$keys_dir) {
include ssh::server::keys
}

...
...
}

class ssh::server::keys {
file { '/etc/ssh/ssh_host_dsa_key':
...
...
file { '/etc/ssh/ssh_host_rsa_key':
...
...
}


And generate script looks like this:

#!/bin/bash

# check arg0: dir for keys
[ -z "$1" ] && echo "Please specify directory for key generation" && exit 1
KEYSDIR="$1"

# set umask
umask 0022

# create directory tree if it does not exist
[ ! -d "$KEYSDIR" ] && mkdir -p $KEYSDIR

do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen


chmod -R 640 $KEYSDIR/*
exit 0


do_rsa1/do_rsa/do_dsa are bash functions that I got from
/etc/init.d/sshd on CentOS 6... And it works like a charm! First puppet
run, keys are generated, and put into "private" section under fqdn's
dir, and propagated to client, and that's it. After reinstallation of
the client, files are already in private, so they won't be regenerated.

Take a look at https://github.com/gtcoc/sshkeys for an idea. It isn't
documented well (yet), so here are some rough notes:

* the module assumes you are using hiera to supply default arguments.
you can see the default values in the hieradata directory
* the sshkeys::hostkeys class best shows how it works:
+ the master makes a call (via generate) to a perl script (sshkeys.pl)
+ the perl script either retrieves or generates a new key for the host
* assuming you set up hiera properly (or otherwise specify default
parameter values), I think all you should need to use this is:

on the puppet master: include sshkeys::install

and on the nodes: include sshkeys::hostkeys

* if you want to distribute the keys into a known_hosts file, then you
have to set up a file serving location for the file and pull it down.
I created a module that I use for serving various files in our
environment, and I set the parameter
'sshkeys::install::knownhosts_servedir' to put the file in the proper
place. Then on all of my hosts I add a file resource:

file { '/etc/ssh/ssh_known_hosts':
source => 'puppet:///modules/ccfiles/ssh_known_hosts',
mode => '0444',
owner => 'root',
group => 'root',
}

Hope that helps,
Chad