I'm writing a module for centralized creation, distribution, and revocation of ssh key pairs for users. It's tentatively called ssh::authkey. It aims to be a complete solution for centrally managing users' ssh keys.
The module is superficially similar to the Authorized keys recipe, but unlike the recipe it will provide drop-in code, will only manage keys (not user accounts), and will come with a fully documented interface and examples of use. I've also made some different design choices and removed some requirements, compared to the recipe. The module does fill a need. I started writing it because I wanted the facility myself, and the existing tools didn't provide it. The documentation is about 75% done, and the code is about 50% done. I've excerpted some of the draft documentation below, to give an idea of what the module will do, and why we need another ssh-related module. Comments on this proposal are welcome. Question: Can I be allowed to create a new page on the wiki to host the module and documentation? I tried to do this by e.g. going to http://reductivelabs.com/trac/puppet/wiki/SshAuthKey , but all I get is "Page SshAuthKey not found". It seems that I don't have the rights to create a page. Thanks, Andrew. Documentation excerpt (draft): ============ ssh::authkey ============ Description ----------- ssh\::authkey provides centralized creation, distribution, and revocation of ssh key pairs for users. There are three types of hosts involved: ========= ================================================ Role Description ========= ================================================ keymaster the host that creates and distributes ssh keys. server a host running an ssh server. client a host with users who want to log in to servers. ========= ================================================ One host may fulfill multiple roles. At present though, the keymaster has to be located on the same host as the puppetmaster, since all files are read on the puppetmaster. Features -------- * Each user may have one or more ssh key pairs, centrally created on the keymaster and distributed to servers and clients. * Each key pair may be installed onto any set of clients, and enabled for authentication on any set of servers. * Keys may have login options set as in authorized_keys(5), e.g. to disable shell access or force certain commands to run. * Keys may be enabled for authenticating as other users. * Keys can be uninstalled or revoked, either manually or automatically at given intervals, and new ones automatically created and distributed. Future features: * ssh\::authkey::server and ssh\::authkey::client accept just '*' as an argument, to distribute all available keys. Basic Usage ----------- To create and distribute a key pair for user alice:: include ssh::authkey # On the keymaster: create a key pair (RSA, 2048 bits). node keymaster { ssh::authkey::master { alice: } } # On an ssh server: # Authorize alice's key to authenticate her on this server. node sshserver { ssh::authkey::server { alice: } } # On a client: # Install alice's private key, so she can log in from there. node sshclient { ssh::authkey::client { alice: } } Comparisons ----------- ssh\::authkey aims to provide a complete solution for managing ssh keys for users, with a well-defined and documented interface. Here is how it compares to the other ssh-related tools available in Puppet: sshkey ...... sshkey is a native type in Puppet. It manages host key pairs, and it might be made to manage user key pairs too, but it won't generate them or install them into authorized_keys files on servers. ssh_authorized_key .................. ssh_authorized_key is a native type in Puppet for managing ssh *public* keys for users. It will install or remove public keys into authorized_keys files on servers, but it won't create key pairs, or manage the private half of the key pair. It also has a few `quirks <http://projects.reductivelabs.com/issues/1164>`_. Authorized keys recipe ...................... The `Authorized keys recipe <http://reductivelabs.com/trac/puppet/wiki/Recipes/Authorized_keys>`_ provides many of the same features as ssh\::authkey. However it has several problems: * It's poorly documented. * It doesn't provide installable module code. * The provided code mixes together general key classes and definitions, of the type provided by ssh\::authkey, with the particulars of how the author wants to manage his accounts. * It enforces root ownership and control of the key files. Assumptions and Limitations --------------------------- * The keymaster must currently be colocated with the puppetmaster, since the keymaster reads file from the file system, which in Puppet always refers to files on the puppetmaster. * The created private keys are unencrypted, i.e. they have empty passphrases. Users can add passphrases themselves using ssh-keygen -p, or, if you feel you need the keys to have passphrases, you could probably add a passphrase-creation step before distributing the keys. (If you create such a facility, please consider submitting it for inclusion into ssh\::authkey.) Note however, that in general there is no way to force users to encrypt their private keys, since even if you force a user to create a passphrase, they can always remove it later with ssh-keygen -p. There is also no way for a server to detect whether a key has a passphrase -- nevermind a strong one. This is a limitation of ssh. * ssh-keygen(1) (provided by the openssh-client package in Debian) must be present on the keymaster, or ssh\::authkey::master will fail. No other ssh binaries or packages are required on any hosts (ssh\::authkey just manipulates key files). * find(1) on the puppetmaster must support the ``-mtime`` and ``-newermt`` options, if you want to use the maxdaysold and mincreationdate parameters, respectively. GNU find supports these options. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
