Take a look at https://github.com/gtcoc/sshkeys for an idea. It isn't
documented well (yet), so here are some rough notes:
* the module assumes you are using hiera to supply default arguments.
you can see the default values in the hieradata directory
* the sshkeys::hostkeys class best shows how it works:
+ the master makes a call (via generate) to a perl script (sshkeys.pl)
+ the perl script either retrieves or generates a new key for the host
* assuming you set up hiera properly (or otherwise specify default
parameter values), I think all you should need to use this is:
on the puppet master: include sshkeys::install
and on the nodes: include sshkeys::hostkeys
* if you want to distribute the keys into a known_hosts file, then you
have to set up a file serving location for the file and pull it down.
I created a module that I use for serving various files in our
environment, and I set the parameter
'sshkeys::install::knownhosts_servedir' to put the file in the proper
place. Then on all of my hosts I add a file resource:
file { '/etc/ssh/ssh_known_hosts':
source => 'puppet:///modules/ccfiles/ssh_known_hosts',
mode => '0444',
owner => 'root',
group => 'root',
}
Hope that helps,
Chad
On Mon, Nov 26, 2012 at 2:47 PM, Jakov Sosic <[email protected]> wrote:
> Hi.
>
> I'm wondering is there a way to manage ssh servers, in a way that every
> machine has it's own key?
>
> I'm talking about these files:
>
> /etc/ssh/ssh_host_dsa_key
> /etc/ssh/ssh_host_dsa_key.pub
> /etc/ssh/ssh_host_rsa_key
> /etc/ssh/ssh_host_rsa_key.pub
> /etc/ssh/ssh_host_key
> /etc/ssh/ssh_host_key.pub
>
>
> Ideally I would like to have a module that replaces those files with
> files from puppet server, for specific host, if they are available, and
> if not, then to gather them from the client.
>
> I think this is not possible, so is there some sensible way to manage
> those files in a different fashion? Holding every file under:
>
> /etc/puppet/files/ssh/<%= hostname =>
>
> is a possibilty, but if someone has done this already I would appretiate
> some hints.
>
>
> I'm trying to set up persistent ssh server keys across reinstallations
> of hosts...
>
>
> --
> Jakov Sosic
> www.srce.unizg.hr
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
Chad M. Huneycutt
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
