On Fri, 26 Feb 2010 12:58:51 -0700
Alan Sparks <aspa...@doublesparks.net> wrote:
> Puppet 0.24.8... I am trying to use ssh_authorized_key to create
> passwordless logins for a couple of accounts. The important thing to
> note is I'm trying to get the source ("r...@somehost" below) as part
> of the key, and the same key needs to be added to two different
> accounts on the system.
AFAIK, the last part of an ssh key is a free comment, and it is used by
puppet to uniquely identify ssh_authorized_key resources. What I usually
do is call my resources something like:
ssh_authorized_key { "marc's key on root's account": ... }
ssh_authorized_key { "marc's key on marc's account": ... }
> It appears that the resource name is the only place I can set the
> originating source (whatever the correct term is) for the key.
>
> ssh_authorized_key { "r...@somehost":
> ensure => present,
> type => ssh-rsa,
> target => '/home/xx/.ssh/authorized_keys',
> key => 'xxxx removed for brevity xxx',
> user => "xx",
> require => User["xx"]
> }
The user and target parameters are mutually exclusive. You shouldn't
need to use both. I'm not sure which one takes over if both are defined.
An ssh key is expected to be one long string without spaces, so I can
imagine in this case the ssh_authorized_key type is unable to decide
where the key ends and where the comment starts, as the key has
whitespaces.
Maybe we should file a bug about this: ssh_authorized_key should refuse
keys which have whitespaces.
In any case, what about doing this instead:
# xxxx removed for brevity xxx
ssh_authorized_key { "r...@somehost":
ensure => absent,
...
}
> So the above will create an authorized_keys value like:
> ssh-rsa xxxx removed for brevity xxx r...@somehost
>
> But if I need the same key installed for a different user, I'm stuck
> -- I can't use the same resource name to create the "r...@somehost"
> restriction. And I can't see another way to specify that value.
>
> Is there any way to accomplish this, without abandoning
> ssh_authorized_key? Thanks in advance.
Paul: why do you think ssh_authorized_key is terrible ? Do you think
the behaviour should be different ?
Marc
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
