Generate user SSH keys on nodes and make public keys available as facts. These
facts can then be collected as exported resources to populate
ssh_authorized_key resources.
Note that, with this workflow, the agent will have to run twice before the keys are available -- facts are collected before resources are created, so the first time through the keypair will be generated and the second time the public key will be available as a fact.
Note, that, also populating the user_ssh_pubkey external fact is (currently)
unimplemented.
Facts with the following formats are created, which correspond with the
parameters for the ssh_authorized_key type:
- <username>_ssh(rsa|dsa|ecdsa|ed25519)key
- <username>_ssh(rsa|dsa|ecdsa|ed25519)key_comment
- <username>_ssh(rsa|dsa|ecdsa|ed25519)key_type
The list of users whose public keys are to be collected as facts is configured
by the user_ssh_pubkey fact, which can be set using external facts. For
example:
$ cat /etc/facter/facts.d/user_ssh_pubkey.yaml
---
user_ssh_pubkey: jensenb,alice,bob
Type user_ssh_pubkey can be used to generate DSA or RSA keys on nodes.
Parameters are consistent with parameters for ssh_authorized_key where
possible.
Currently this is implemented as a Puppet defined type, which results in an
exec type which runs ssh-keygen.
Keys are generated with null passphrases.
- 
name The SSH key comment. Ideally this would be something like "$user/ssh-$type@$::fqdn"; if so, the user and type parameters can be left unspecified. 
- 
user namevar The user in whose home directory to create the key. 
- 
target The absolute filename base to store the private and public keys in. This parameter should generally be avoided, as it breaks the facts. 
- 
type The key type: "dsa", "rsa", "ecdsa", "ed25519". Note that semantics of this parameter are different from the *_typefact and "type" parameter forssh_authorized_key.
- 
user The user account in which the SSH key should be generated. 
- 
bits The number of bits in the key. See ssh-keygen(1)for limits.
For the source or client node, generate an SSH key, collect the fact and
create an exported ssh_authorized_key resource:
user_ssh_pubkey { "repocloner/ssh-rsa@${::fqdn}": }
file { '/etc/facter/facts.d/user_ssh_pubkey.txt':
  ensure  => present,
  content => "user_ssh_pubkey=repocloner\n",
  owner   => 'root',
  group   => 'root',
  mode    => '0644',
}
if $::repocloner_sshrsakey {
  @@ssh_authorized_key { $::repocloner_sshrsakey_comment:
    ensure => present,
    key    => $::repocloner_sshrsakey,
    user   => 'repocloner',
    type   => $::repocloner_sshrsakey_type,
    tag    => [ 'repocloner-ssh-key' ],
  }
}
If the client node's name is used in the name (comment) of the
user_ssh_pubkey, then exported resources from multiple client
nodes can be generated.
For the target or server node, collect the exported resource:
Ssh_authorized_key <<| tag == 'repocloner-ssh-key' |>>
One could also use user parameter instead of a tag for selecting the
exported resources instead of a tag.
Apache 2.0
Wil Cooley <wcooley(at)nakedape.cc>
Please log tickets and issues at our Github issues.