FAQ
Hi.

I'm wondering is there a way to manage ssh servers, in a way that every
machine has it's own key?

I'm talking about these files:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub


Ideally I would like to have a module that replaces those files with
files from puppet server, for specific host, if they are available, and
if not, then to gather them from the client.

I think this is not possible, so is there some sensible way to manage
those files in a different fashion? Holding every file under:

/etc/puppet/files/ssh/<%= hostname =>

is a possibilty, but if someone has done this already I would appretiate
some hints.


I'm trying to set up persistent ssh server keys across reinstallations
of hosts...


--
Jakov Sosic
www.srce.unizg.hr

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Matt Zagrabelny at Nov 26, 2012 at 7:54 pm

    On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic wrote:
    Hi.

    I'm wondering is there a way to manage ssh servers, in a way that every
    machine has it's own key?
    I've used the "private" file server mechanism to serve out node sensitive files.

    The following snippet shows this:

    class ssh::config($sshd_config_source =
    "puppet:///modules/ssh/etc/ssh/sshd_config") {
    file { "/etc/ssh/sshd_config":
    source => $sshd_config_source,
    require => Class["ssh::install"],
    notify => Service["ssh"],
    }
    file { "/etc/pam.d/sshd":
    source => "puppet:///modules/ssh/etc/pam.d/sshd",
    require => [ Class["ssh::install"], Class["libpam_radius_auth"] ],
    }
    file { "/etc/ssh/ssh_host_dsa_key":
    mode => 0600,
    source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
    require => Class["ssh::install"],
    notify => Service["ssh"],
    }
    file { "/etc/ssh/ssh_host_dsa_key.pub":
    source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
    require => Class["ssh::install"],
    notify => Service["ssh"],
    }
    file { "/etc/ssh/ssh_host_rsa_key":
    mode => 0600,
    source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
    require => Class["ssh::install"],
    notify => Service["ssh"],
    }
    file { "/etc/ssh/ssh_host_rsa_key.pub":
    source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
    require => Class["ssh::install"],
    notify => Service["ssh"],
    }
    }

    -mz

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Nov 26, 2012 at 10:05 pm

    On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:

    file { "/etc/ssh/ssh_host_rsa_key.pub":
    source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
    I didn't know about this one, do I need any special configuration of the
    puppetmaster for this to work, or is this a builtin?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Matt Zagrabelny at Nov 26, 2012 at 10:09 pm

    On Mon, Nov 26, 2012 at 4:05 PM, Jakov Sosic wrote:
    On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:

    file { "/etc/ssh/ssh_host_rsa_key.pub":
    source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
    I didn't know about this one, do I need any special configuration of the
    puppetmaster for this to work, or is this a builtin?
    Hi Jakov,

    Here is my fileserver.conf:

    root@puppet:/etc/puppet# cat /etc/puppet/fileserver.conf
    # This file consists of arbitrarily named sections/modules
    # defining where files are served from and to whom

    # Define a section 'files'
    # Adapt the allow/deny settings to your needs. Order
    # for allow/deny does not matter, allow always takes precedence
    # over deny
    [files]
    path /etc/puppet/files
    # allow *.example.com
    # deny *.evil.example.com
    # allow 192.168.0.0/24

    [plugins]
    # allow *.example.com
    # deny *.evil.example.com
    # allow 192.168.0.0/24

    [private]
    path /etc/puppet/private/%h
    allow *


    You would then put stuff at:

    /etc/puppet/private/node-01/etc/ssh/ssh_host_rsa_key
    .
    .
    etc.

    When node-01 connects your puppetmaster, it can only "see" its private
    file space.

    -mz

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tim Mooney at Nov 26, 2012 at 10:58 pm

    In regard to: Re: [Puppet Users] Managing ssh server's keys?, Matt...:

    Here is my fileserver.conf:
    [private]
    path /etc/puppet/private/%h
    allow *
    FWIW, we're handling ssh keys and other sensitive full-file content nearly
    identically, although we we chose "/secure" rather than "/private" and we're
    using %H (fqdn) rather than %h (short host name).

    Tim
    --
    Tim Mooney tim.mooney@ndsu.edu
    Enterprise Computing & Infrastructure 701-231-1076 (Voice)
    Room 242-J6, IACC Building 701-231-8541 (Fax)
    North Dakota State University, Fargo, ND 58105-5164

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Nov 28, 2012 at 7:50 pm

    On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:
    On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic wrote:
    Hi.

    I'm wondering is there a way to manage ssh servers, in a way that every
    machine has it's own key?
    I've used the "private" file server mechanism to serve out node sensitive files.

    Thank you for the idea. Now only problem that is left is how to call a
    script to generate keys if files are not accessible in private section :-/

    I know one can do something like this:

    file { '/etc/ssh/ssh_host_rsa_key.pub':
    ensure => file,
    mode => 0644,
    source => [
    'puppet:///private/etc/ssh/ssh_host_rsa_key.pub',
    'puppet:///modules/sshd/ssh_host_rsa_key.pub',
    ],
    require => Package['openssh-server'],
    notify => Service['sshd'],
    }

    and put some blank default files in there, but I would much prefer to
    build the keys if they are not there, and I presume I need some puppet
    magic here :-/

    Any ideas?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Matt Zagrabelny at Nov 28, 2012 at 8:10 pm

    On Wed, Nov 28, 2012 at 1:50 PM, Jakov Sosic wrote:
    On 11/26/2012 08:54 PM, Matt Zagrabelny wrote:
    On Mon, Nov 26, 2012 at 1:47 PM, Jakov Sosic wrote:
    Hi.

    I'm wondering is there a way to manage ssh servers, in a way that every
    machine has it's own key?
    I've used the "private" file server mechanism to serve out node sensitive files.

    Thank you for the idea. Now only problem that is left is how to call a
    script to generate keys if files are not accessible in private section :-/

    I know one can do something like this:

    file { '/etc/ssh/ssh_host_rsa_key.pub':
    ensure => file,
    mode => 0644,
    source => [
    'puppet:///private/etc/ssh/ssh_host_rsa_key.pub',
    'puppet:///modules/sshd/ssh_host_rsa_key.pub',
    ],
    require => Package['openssh-server'],
    notify => Service['sshd'],
    }

    and put some blank default files in there, but I would much prefer to
    build the keys if they are not there, and I presume I need some puppet
    magic here :-/

    Any ideas?
    Part of our server bootstrapping process is to copy over the ssh keys
    to the puppetmaster after puppet has installed openssh-server.

    As far as generating the keys, that should be pretty straightforward
    using ssh-keygen.

    -mz

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Nov 28, 2012 at 8:15 pm

    On 11/28/2012 09:10 PM, Matt Zagrabelny wrote:

    Part of our server bootstrapping process is to copy over the ssh keys
    to the puppetmaster after puppet has installed openssh-server.
    So how do you do that with puppet? Or you use cobbler/FAI or that kind
    of tool for that particular task?


    As far as generating the keys, that should be pretty straightforward
    using ssh-keygen.
    I know that but I want to generate it only if keys are not in folder...

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Matt Zagrabelny at Nov 28, 2012 at 8:19 pm

    On Wed, Nov 28, 2012 at 2:14 PM, Jakov Sosic wrote:
    On 11/28/2012 09:10 PM, Matt Zagrabelny wrote:

    Part of our server bootstrapping process is to copy over the ssh keys
    to the puppetmaster after puppet has installed openssh-server.
    So how do you do that with puppet? Or you use cobbler/FAI or that kind
    of tool for that particular task?
    Copy+paste. Not all of our processes are automated...yet.
    As far as generating the keys, that should be pretty straightforward
    using ssh-keygen.
    I know that but I want to generate it only if keys are not in folder...
    Whatever is generating your node manifest (on the master) could also
    perform either:

    1) scp ssh keys from the node to master
    or
    2) run ssh-keygen on master

    Unless you are using the "default" node, this should work.

    -mz

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Nov 28, 2012 at 8:29 pm

    On 11/28/2012 09:19 PM, Matt Zagrabelny wrote:

    Whatever is generating your node manifest (on the master) could also
    perform either:

    1) scp ssh keys from the node to master
    or
    2) run ssh-keygen on master

    Unless you are using the "default" node, this should work.
    I have an idea about #2. I won't copy keys from nodes, but generate it
    on the master if they are not there already.

    If I succeed I will post solution.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jakov Sosic at Dec 4, 2012 at 10:19 pm

    On 11/28/2012 09:19 PM, Matt Zagrabelny wrote:

    Whatever is generating your node manifest (on the master) could also
    perform either:

    1) scp ssh keys from the node to master
    or
    2) run ssh-keygen on master

    Unless you are using the "default" node, this should work.
    OK I've found elegant way to do it. Basicly this is what I do:

    class ssh::server {
    ...
    ...
    if generate('/etc/puppet/modules/ssh/scripts/generate_host_keys.sh',
    $keys_dir) {
    include ssh::server::keys
    }

    ...
    ...
    }

    class ssh::server::keys {
    file { '/etc/ssh/ssh_host_dsa_key':
    ...
    ...
    file { '/etc/ssh/ssh_host_rsa_key':
    ...
    ...
    }


    And generate script looks like this:

    #!/bin/bash

    # check arg0: dir for keys
    [ -z "$1" ] && echo "Please specify directory for key generation" && exit 1
    KEYSDIR="$1"

    # set umask
    umask 0022

    # create directory tree if it does not exist
    [ ! -d "$KEYSDIR" ] && mkdir -p $KEYSDIR

    do_rsa1_keygen
    do_rsa_keygen
    do_dsa_keygen


    chmod -R 640 $KEYSDIR/*
    exit 0


    do_rsa1/do_rsa/do_dsa are bash functions that I got from
    /etc/init.d/sshd on CentOS 6... And it works like a charm! First puppet
    run, keys are generated, and put into "private" section under fqdn's
    dir, and propagated to client, and that's it. After reinstallation of
    the client, files are already in private, so they won't be regenerated.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Chad Huneycutt at Nov 26, 2012 at 8:18 pm
    Take a look at https://github.com/gtcoc/sshkeys for an idea. It isn't
    documented well (yet), so here are some rough notes:

    * the module assumes you are using hiera to supply default arguments.
    you can see the default values in the hieradata directory
    * the sshkeys::hostkeys class best shows how it works:
    + the master makes a call (via generate) to a perl script (sshkeys.pl)
    + the perl script either retrieves or generates a new key for the host
    * assuming you set up hiera properly (or otherwise specify default
    parameter values), I think all you should need to use this is:

    on the puppet master: include sshkeys::install

    and on the nodes: include sshkeys::hostkeys

    * if you want to distribute the keys into a known_hosts file, then you
    have to set up a file serving location for the file and pull it down.
    I created a module that I use for serving various files in our
    environment, and I set the parameter
    'sshkeys::install::knownhosts_servedir' to put the file in the proper
    place. Then on all of my hosts I add a file resource:

    file { '/etc/ssh/ssh_known_hosts':
    source => 'puppet:///modules/ccfiles/ssh_known_hosts',
    mode => '0444',
    owner => 'root',
    group => 'root',
    }

    Hope that helps,
    Chad
    On Mon, Nov 26, 2012 at 2:47 PM, Jakov Sosic wrote:
    Hi.

    I'm wondering is there a way to manage ssh servers, in a way that every
    machine has it's own key?

    I'm talking about these files:

    /etc/ssh/ssh_host_dsa_key
    /etc/ssh/ssh_host_dsa_key.pub
    /etc/ssh/ssh_host_rsa_key
    /etc/ssh/ssh_host_rsa_key.pub
    /etc/ssh/ssh_host_key
    /etc/ssh/ssh_host_key.pub


    Ideally I would like to have a module that replaces those files with
    files from puppet server, for specific host, if they are available, and
    if not, then to gather them from the client.

    I think this is not possible, so is there some sensible way to manage
    those files in a different fashion? Holding every file under:

    /etc/puppet/files/ssh/<%= hostname =>

    is a possibilty, but if someone has done this already I would appretiate
    some hints.


    I'm trying to set up persistent ssh server keys across reinstallations
    of hosts...


    --
    Jakov Sosic
    www.srce.unizg.hr

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.


    --
    Chad M. Huneycutt

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 26, '12 at 7:47p
activeDec 4, '12 at 10:19p
posts12
users4
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase