Burgundywall - Puppet, ssh_authorized_key and id

Puppet, ssh_authorized_key and id_rsa.pub

Kurt Neufeld @ December 20, 2012 wrote... (10 years, 3 months ago)

I just started using puppet a few days ago and so far I'm really liking it. Except it's in Ruby and not Python. If puppet was written in python I would have just hacked up a new derived class. Oh well…

So my problem is that I want to distribute new id_rsa and id_rsa.pub files to my servers but I also want to be DRY. So therefore when I copy the id files over it should be possible to extract the public key and put it in authorized_keys.

This should have been significantly easier but here's how I did it.

cd /etc/puppet
mkdir bin

Make a new file: bin/extract_key

#!/bin/bash
cut -d' ' -f2 $1| tr -d "\r\n\t "

chmod +x bin/extract_key

# /etc/puppet/manifests/nodes.pp
node 'mail.burgundywall.com' {
        class { 'user-sshkey':
                user => 'kneufeld',
                type => 'rsa',
        }
}

# /etc/puppet/modules/user-sshkey/manifests/init.pp
class user-sshkey($user,$type) {

        # out with old
        file { "/home/$user/.ssh/id_dsa": ensure=>absent }
        file { "/home/$user/.ssh/id_dsa.pub": ensure=>absent }

        # in with the new
        file { "/home/$user/.ssh/id_$type":
                ensure  => present,
                source  => "puppet:///modules/user-sshkey/$user/id_$type",
                owner   => $user,
                group   => $user,
                mode    => 0600,
        }
        file { "/home/$user/.ssh/id_$type.pub":
                ensure => present,
                source => "puppet:///modules/user-sshkey/$user/id_$type.pub",
                owner   => $user,
                group   => $user,
                mode    => 0644,
        }

        # install the new key
        ssh_authorized_key { "$user-auth-key":
                ensure  => present,
                user    => $user,
                type    => "ssh-$type",
                key     => generate( "/etc/puppet/bin/extract_key", "/etc/puppet/modules/user-sshkey/files/$user/id_$type.pub" ),
                require => [File["/home/$user/.ssh/id_$type.pub"]],
        }
}

Put id_rsa and id_rsa.pub in /etc/puppet/modules/user-sshkey/files/$user/

The magic line is key => generate(...). This is telling puppet to run our extract_key executable against our public keyfile and print just the key portion of the file as a whitespace trimmed string. That string is then assigned to key and Bob's your uncle.

The correct solution would be to a) derive a class, or b) send a patch upstream that adds the following:

extract => "/etc/puppet/modules/user-sshkey/files/$user/id_$type.pub"

Category: tech, Tags: linux, puppet, ssh

Comments: 0

Click here to add a comment