Initial ssh key management functionality in trunk
Bug 834930 For those folks wanting a way to manage authorised ssh keys within Juju, trunk now has that functionality. There are 4 commands: add - add ssh keys for a Juju user delete - delete ssh keys for a Juju user list - list ssh keys for a Juju user import - import Launchpad or Github ssh keys For more details, run juju authorised-keys to see some help printed. Currently, the default (and only) Juju user for an environment is admin. This will change as support for users and roles etc comes along in the future. So for now, think of Juju's ssh key management as a way to allow people other than the person who bootstrapped an environment the ability to ssh into Juju machines/nodes. I'm guessing people will mostly use import to pull in ssh keys from Launchpad or Github eg juju authorised-keys import lp:wallyworld. But for clouds which do not have access to the internet, add is useful since it allows a full key to be imported directly. When deleting keys, you use the key fingerprint or comment to specify what to delete. You can find the fingerprint for a key using ssh-keygen. Note that right now, keys are global and grant access to all machines. When a key is added, it is propagated to all machines in the environment. When a key is deleted, it is removed from all machines. For manually provisioned machines, which may already have their own authorised ssh keys before being added to the Juju environment, these keys are retained and not managed or deleted by Juju. Juju will prepend Juju: to all key comments for keys which it has added to a machine so that it knows which ones to ignore. Hopefully the functionality is useful. I expect it may well need to be refined as things progress with user permissions and roles. Please file bugs if you encounter any issues or usability concerns etc. -- Juju-dev mailing list Juju-dev@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
Re: Initial ssh key management functionality in trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13-12-13 03:55 AM, Ian Booth wrote: I'm guessing people will mostly use import to pull in ssh keys from Launchpad or Github eg juju authorised-keys import lp:wallyworld. But for clouds which do not have access to the internet, add is useful since it allows a full key to be imported directly. If lp: URLs are supported, I recommend using lp:~wallyworld for consistency with other lp: URLs. Aaron -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKrGCgACgkQ0F+nu1YWqI11lgCdGTQVZmzjeY+8+ZCPdcngMILX WnIAni7OuD+V+mvz+ijuqMkYJEOKfHVJ =j/9f -END PGP SIGNATURE- -- Juju-dev mailing list Juju-dev@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
Re: Initial ssh key management functionality in trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/12/13 00:22, Aaron Bentley wrote: On 13-12-13 03:55 AM, Ian Booth wrote: I'm guessing people will mostly use import to pull in ssh keys from Launchpad or Github eg juju authorised-keys import lp:wallyworld. But for clouds which do not have access to the internet, add is useful since it allows a full key to be imported directly. If lp: URLs are supported, I recommend using lp:~wallyworld for consistency with other lp: URLs. The utility which retrieves the keys is /usr/bin/ssh-import-id. So the key id format is determined by that. As well as lp:username, it also supports retrieving keys from Github using gh:username. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iJwEAQECAAYFAlKrp2AACgkQCJ79BCOJFcY91wP9HahzOUERxlqnSkCqxFSUi/RV AdcHJ4tiM+1o0p6KkCwhMFDl+BS09rH133P56CaWY/lL3vmvRmYYx0v833efz2ru nnFWA1RByDRQVy8IEu1chkxwAS5L1GK3LSBouS4BSYQLEhPHBZ4f8nl8RxJ+gXbe jojhRvG/sfB6M8X54ZE= =9k+c -END PGP SIGNATURE- -- Juju-dev mailing list Juju-dev@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
Re: Initial ssh key management functionality in trunk
whether it supports gh:username is somewhat dependent on distro version, afaics precise versions of ssh-import-id do not support it. if we want to support the large repository of keys and users from gh on precise, we should just implement the lookup and addition in go.. key retrieval from either lh/gh is a simple http get away. On Fri, Dec 13, 2013 at 7:33 PM, Ian Booth ian.bo...@canonical.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/12/13 00:22, Aaron Bentley wrote: On 13-12-13 03:55 AM, Ian Booth wrote: I'm guessing people will mostly use import to pull in ssh keys from Launchpad or Github eg juju authorised-keys import lp:wallyworld. But for clouds which do not have access to the internet, add is useful since it allows a full key to be imported directly. If lp: URLs are supported, I recommend using lp:~wallyworld for consistency with other lp: URLs. The utility which retrieves the keys is /usr/bin/ssh-import-id. So the key id format is determined by that. As well as lp:username, it also supports retrieving keys from Github using gh:username. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iJwEAQECAAYFAlKrp2AACgkQCJ79BCOJFcY91wP9HahzOUERxlqnSkCqxFSUi/RV AdcHJ4tiM+1o0p6KkCwhMFDl+BS09rH133P56CaWY/lL3vmvRmYYx0v833efz2ru nnFWA1RByDRQVy8IEu1chkxwAS5L1GK3LSBouS4BSYQLEhPHBZ4f8nl8RxJ+gXbe jojhRvG/sfB6M8X54ZE= =9k+c -END PGP SIGNATURE- -- Juju-dev mailing list Juju-dev@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev -- Juju-dev mailing list Juju-dev@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
