Hi Jonathan,
On Thu, Jan 26, 2012 at 5:40 AM, Jonathan Gazeley
<jonathan.gaze...@bristol.ac.uk> wrote:
> Hi all,
>
> I already use Puppet to collect and distribute SSH host public keys between
> machines I manage. I now want to collect private host keys from each node
> and store them on the puppetmaster, so when I rebuild a node it receives the
> same key.
Sure.
> Is there an easy way of doing this?
I don't know about "easy", but here is what I am doing:
Set up a "private" fileserver for your nodes. This is where I put
sensitive node data (like ssh host keys). Then configure your manifest
to pull in the files from there. Here are some of the relevant files:
$ cat /etc/puppet/fileserver.conf
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom
# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
[files]
path /etc/puppet/files
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[plugins]
# allow *.example.com
# deny *.evil.example.com
# allow 192.168.0.0/24
[private]
path /etc/puppet/private/%h
allow *
$ cat /etc/puppet/modules/ssh/manifests/init.pp
class ssh::install {
package { "ssh":
ensure => present,
}
}
class ssh::service {
service { "ssh":
ensure => running,
enable => true,
hasrestart => true,
require => Class["ssh::install"],
}
}
class ssh::config($sshd_config_source =
"puppet:///modules/ssh/etc/ssh/sshd_config") {
file { "/etc/ssh/sshd_config":
owner => "root",
group => "root",
mode => 0644,
source => $sshd_config_source,
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key":
owner => "root",
group => "root",
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_dsa_key.pub":
owner => "root",
group => "root",
mode => 0644,
source => "puppet:///private/etc/ssh/ssh_host_dsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key":
owner => "root",
group => "root",
mode => 0600,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key",
require => Class["ssh::install"],
notify => Service["ssh"],
}
file { "/etc/ssh/ssh_host_rsa_key.pub":
owner => "root",
group => "root",
mode => 0644,
source => "puppet:///private/etc/ssh/ssh_host_rsa_key.pub",
require => Class["ssh::install"],
notify => Service["ssh"],
}
}
class ssh($sshd_config_source = "puppet:///modules/ssh/etc/ssh/sshd_config") {
include ssh::install, ssh::service
class { "ssh::config": sshd_config_source => $sshd_config_source }
}
$ ls -alh /etc/puppet/private/nodehostname/etc/ssh
total 24K
drwxr-xr-x 2 root root 4.0K Jan 18 11:35 .
drwxr-xr-x 5 root root 4.0K Jan 18 11:35 ..
-rw-r--r-- 1 root root 668 Jan 18 11:35 ssh_host_dsa_key
-rw-r--r-- 1 root root 598 Jan 18 11:35 ssh_host_dsa_key.pub
-rw-r--r-- 1 root root 1.7K Jan 18 11:35 ssh_host_rsa_key
-rw-r--r-- 1 root root 390 Jan 18 11:35 ssh_host_rsa_key.pub
HTH,
-Matt Zagrabelny
--
"This space was intentionally left blank as to not advertise to you
what cellular provider nor what iDevice was used to send you an
email."
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
