It appears the ssh keys would have to be for the puppet user on the puppetmasterd server. How can I be assured that the key is not used for evil?
Would I need to write a bunch of fugly stuff in my sshd_config to limit what the puppet user can do via the ssh command? any examples? --- Thanks, Allan Marcus 505-667-5666 On Jul 1, 2009, at 10:19 AM, Michael Semcheski wrote: > > On Wed, Jul 1, 2009 at 12:02 PM, Kurt Engle<kurt.en...@gmail.com> > wrote: >> Wouldn't I achieve the same outcome with using a single cert for all >> machines without the need for special scripts to delete certs from >> the >> server and delete files from the client? Also, with respect to >> autosign... >> would I really be able to turn it off using the SSH method below? > > The client creates a cert and then gives it to the server. You tell > the server to authorize it or not. But that process doesn't > necessarilly require manual intervention. It is very scriptable. > > The ssh method I described would be able to do all of that, and it > would probably be simpler to implement than you realize, assuming the > freshly imaged machines could ssh to the puppetmaster. > > The script would be something like this... > > HOSTNAME=`hostname -f` > ssh puppetmaster "/usr/sbin/puppetca --clear $HOSTNAME" > puppetd -w 90 > ssh puppetmaster "/usr/sbin/puppetca -s $HOSTNAME" > > > Then add a module that removes that script from the machine. > > In the example I gave above, I can't remember the specific options > that puppetca requires, but I think its close. > > Again, all you need to do is add the ssh key to the base image, and > add it to the authorized_keys on the puppetmaster. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
