I'm trying to approach ssh authorized_keys distribution from another
angle. It seems like the standard method is to either put the ssh
public key into a variable in a puppet manifest or to place the file
within the puppet file hierarchy. I'm not happy with either of these
options, because I would like to create a user from start to finish as
hands-off as possible (including ssh key generation and propagation).
So I want the following to happen:
- Define a user in a puppet class
- Have puppet create that user's home directory and ssh public/private
keys on the main server
- Export public keys into that user's authorized_keys file on every
server
I have a method that does this (or so it seems), but the main problem
is that without some tomfoolery I can't figure out how to read a
file's contents into a variable only AFTER that file is created by an
exec command.
I have the following (after 'user' has been called):
if $hostname == puppet {
exec { "create-ssh-key-$n...@$domain":
command => "ssh-keygen -t rsa -C '$name@
$domain' -N '' -q -f /home/$name/.ssh/id_rsa",
path => "/usr/bin:/bin",
creates => ["/home/$name/.ssh/id_rsa","/home/
$name/.ssh/id_rsa.pub"],
require => [ User["$name"], File["/home/
$name/.ssh/"] ],
before => Ssh_authorized_key["$n...@$domain"],
user => $name,
}
@@ssh_authorized_key { "$n...@$domain":
ensure => present,
key => generate("/usr/bin/cut","-f2","-d ","/
home/$name/.ssh/id_rsa.pub"),
target => "/home/$name/.ssh/authorized_keys",
type => ssh-rsa,
user => $name,
name => "$n...@$domain",
require => User["$name"],
}
}
Ssh_authorized_key <<| name == "$n...@$domain" |>>
However, unless I completely remove the ssh_authorized_key call until
the user exists, I wind up with this error:
May 16 00:44:12 puppet puppetmasterd[22843]: Failed to execute
generator /usr/bin/cut: Execution of '/usr/bin/cut -f2 -d /home/
user/.ssh/id_rsa.pub' returned 1: /usr/bin/cut: /home/user/.ssh/
id_rsa.pub: No such file or directory at /etc/puppet/modules/users/
manifests/init.pp:34 on node puppetmaster
I've tried a number of different requires, befores, and splitting
things into multiple files/classes/defines to try to force the
execution order that I want but to no avail. It seems like 'generate'
is always run early, and so the user and id_rsa.pub file haven't been
made yet.
I finally used the following tactic:
key => file("/home/$name/.ssh/id_rsa.pub","/etc/ssh/ssh_host_key.pub")
so that the first execution puts the host's public key into
authorized_keys (which serves no purpose, but it's the same format and
that file will always exist) and the second execution does the right
thing. But it's pretty gross, and it means users will take a longer
time than necessary to fully propagate.
Is there some method that I'm overlooking to force puppet to schedule
'ssh_authorized_key' after 'exec' in this case?
--
Simon Kuhn
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
