Puppet Class: openssh::keys

Defined in:
manifests/keys.pp

Summary

Set up authorized_keys file for root account

Overview

Set up authorized_keys file for root account

Examples:

include openssh::keys

Parameters:

  • sshkey_user (String) (defaults to: $openssh::sshkey_user)

    The user account in which the SSH key should be installed. The resource will autorequire this user if it is being managed as a user resource.

  • authorized (Optional[Array[Openssh::SshKey]]) (defaults to: undef)

    If provided - it is exact list of SSH public keys to be added into user root account All other settings will be ignored except sshkey_dir

  • sshkey (Optional[Stdlib::Base64]) (defaults to: undef)

    The public key itself; generally a long string of hex characters. The key attribute may not contain whitespace.

    Make sure to omit the following in this attribute (and specify them in other attributes):

    • Key headers, such as ‘ssh-rsa’ — put these in the type attribute.

    • Key identifiers / comments, such as ‘joe@joescomputer.local’ — put these in the name attribute/resource title.

  • sshkey_name (Optional[String]) (defaults to: $openssh::sshkey_name)

    The SSH key comment. This can be anything, and doesn’t need to match the original comment from the .pub file.

    Due to internal limitations, this must be unique across all user accounts; if you want to specify one key for multiple users, you must use a different comment for each instance.

  • sshkey_type (Openssh::KeyType) (defaults to: $openssh::sshkey_type)

    The encryption type used. Allowed values:

    ssh-dss
ssh-rsa
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-ed25519
dsa
ed25519
rsa
  • sshkey_target (Stdlib::Unixpath) (defaults to: $openssh::sshkey_target)

    The absolute filename in which to store the SSH key. This property is optional and should be used only in cases where keys are stored in a non- standard location, for instance when not in ~user/.ssh/authorized_keys

  • sshkey_options (Array[String]) (defaults to: $openssh::sshkey_options)

    Key options; see sshd(8) for possible values. Multiple values should be specified as an array.

  • export_tags_extra (Array[String]) (defaults to: [])

    The list of additional tags, in addition to ‘sshkey_export_tag`, if you need to provide more than one tag.

  • custom_ssh_keys (Optional[Array[Openssh::SshKey]]) (defaults to: $authorized)
  • sshkey_ensure (Enum['present', 'absent']) (defaults to: present)
  • sshkey_propagate (Boolean) (defaults to: false)
  • sshkey_group (Optional[String]) (defaults to: $openssh::sshkey_group)
  • sshkey_dir (Stdlib::Unixpath) (defaults to: $openssh::sshkey_dir)
  • sshkey_export_tag (String) (defaults to: 'sshkey')
  • sshkey_export (Boolean) (defaults to: true) 


62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# File 'manifests/keys.pp', line 62

class openssh::keys (
  Optional[Array[Openssh::SshKey]] $authorized = undef,
  Optional[Array[Openssh::SshKey]] $custom_ssh_keys = $authorized,
  Optional[Stdlib::Base64] $sshkey = undef,
  Enum['present', 'absent'] $sshkey_ensure = present,
  Boolean $sshkey_propagate = false,
  Optional[String] $sshkey_group = $openssh::sshkey_group,
  String $sshkey_user = $openssh::sshkey_user,
  Openssh::KeyType $sshkey_type = $openssh::sshkey_type,
  Optional[String] $sshkey_name = $openssh::sshkey_name,
  Stdlib::Unixpath $sshkey_dir = $openssh::sshkey_dir,
  Stdlib::Unixpath $sshkey_target = $openssh::sshkey_target,
  Array[String] $sshkey_options = $openssh::sshkey_options,
  String $sshkey_export_tag = 'sshkey',
  Array[String] $export_tags_extra = [],
  Boolean $sshkey_export = true,
) {
  $fqdn = $facts['networking']['fqdn']

  $key_owner_group = $sshkey_group ? {
    String  => $sshkey_group,
    default => $sshkey_user,
  }

  file { $sshkey_dir:
    ensure => directory,
    owner  => $sshkey_user,
    group  => $key_owner_group,
    mode   => '0700',
  }

  if $custom_ssh_keys {
    file { "${sshkey_dir}/authorized_keys":
      ensure  => file,
      content => template('openssh/authorized_keys.erb'),
      require => File[$sshkey_dir],
    }

    if $facts['ssh'] and $sshkey_export {
      $facts['ssh'].each |$key_type, $key_info| {
        if $key_info {
          @@sshkey { "${fqdn}_root_known_hosts_${key_type}":
            host_aliases => [$facts['networking']['hostname'], $fqdn, $facts['networking']['ip']],
            key          => $key_info['key'],
            target       => '/root/.ssh/known_hosts',
            type         => $key_info['type'],
            tag          => [$sshkey_export_tag] + $export_tags_extra,
          }
        }
      }
    }
  }
  elsif $sshkey_name {
    openssh::auth_key { $sshkey_name:
      sshkey_ensure     => $sshkey_ensure,
      sshkey_user       => $sshkey_user,
      sshkey_type       => $sshkey_type,
      sshkey_target     => $sshkey_target,
      sshkey_options    => $sshkey_options,
      sshkey_propagate  => $sshkey_propagate,
      sshkey            => $sshkey,
      sshkey_export     => $sshkey_export,
      sshkey_export_tag => $sshkey_export_tag,
      export_tags_extra => $export_tags_extra,
      require           => File[$sshkey_dir],
    }
  }
}