Defined Type: pubkey::ssh

Defined in:
manifests/ssh.pp

Summary

Generate ssh key pair and exports public ssh key

Overview

Exports public ssh key to Puppetserver

Examples:

pubkey::ssh { 'john_rsa': }
pubkey::ssh { 'johndoe':
  type    => 'ed25519',
  comment => 'johndoe_ed25519',
  tags    => ['users'],
}
pubkey::ssh { 'bob_ed25519':
  user        => 'bob', # auto-detected from title
  target_user => 'deploy', # user account under which authorized key will be stored
  tags        => ['users'],
}

Parameters:

  • generate (Boolean) (defaults to: true)

    Whether missing key should be generated

  • user (Optional[String[1]]) (defaults to: undef)

    account name where ssh key is (optionally) generated and public key stored into exported resource

  • target_user (Optional[String[1]]) (defaults to: undef)

    account name under which we will store the authorized key (by default same as ‘user`)

  • type (Optional[Pubkey::Type]) (defaults to: undef)

    ssh key type one of: ‘dsa’, ‘rsa’, ‘ecdsa’, ‘ed25519’, ‘ecdsa-sk’, ‘ed25519-sk’

  • home (Optional[Stdlib::UnixPath]) (defaults to: undef)

    user’s home directory, assuming .ssh is located in $HOME/.ssh

  • prefix (Optional[String[1]]) (defaults to: undef)

    custom key file prefix for the ssh key file (default: ‘id’)

  • comment (Optional[String[1]]) (defaults to: undef)

    ssh key’s comment

  • size (Optional[Integer]) (defaults to: undef)

    number of bits for generated ssh key

  • tags (Optional[Array[String]]) (defaults to: undef)

    optional tags added to the exported key

  • export_key (Boolean) (defaults to: true)

    whether export the generated key (default: true)

  • path (Stdlib::AbsolutePath) (defaults to: $facts['path'])

    standard unix path to look for ssh-keygen

  • hostname (String) (defaults to: $facts['networking']['fqdn'])

    that will be part of exported resource

  • separator (String[1]) (defaults to: '_')

    A character for user and type auto-detection (default: ‘_’)



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
# File 'manifests/ssh.pp', line 35

define pubkey::ssh (
  Boolean                    $generate = true,
  Optional[String[1]]        $user = undef,
  Optional[String[1]]        $target_user = undef,
  Optional[Pubkey::Type]     $type = undef,
  Stdlib::AbsolutePath       $path = $facts['path'],
  Optional[Stdlib::UnixPath] $home = undef,
  Optional[String[1]]        $prefix = undef,
  Optional[String[1]]        $comment = undef,
  Optional[Integer]          $size = undef,
  String                     $hostname = $facts['networking']['fqdn'],
  Optional[Array[String]]    $tags = undef,
  Boolean                    $export_key = true,
  String[1]                  $separator = '_',
) {
  # try to auto-detect username and key type
  if empty($type) or empty($user) {
    $array = split($title, $separator)
  }

  $_type = $type ? {
    undef   => size($array) > 1 ? {
      true => $array[1],
      false => fail('unable to determine type')
    },
    default => $type
  }

  $_user = $user ? {
    undef   => size($array) >= 1 ? {
      true => $array[0],
      false => fail('unable to determine user')
    },
    default => $user
  }

  $_target_user = $target_user ? {
    undef   => $_user,
    default => $target_user,
  }

  $_home = $home ? {
    undef   => $_user ? {
      'root'  => '/root',
      default => "/home/${_user}",
    },
    default => $home,
  }

  $_comment = $comment ? {
    undef   => shellquote($title),
    default => shellquote($comment)
  }

  $_prefix = $prefix ? {
    undef   => 'id',
    default => $prefix,
  }

  # convert e.g. ecdsa-sk to ecdsa_sk
  $key_file = regsubst($_type, '\-','_',)

  $privkey_path = "${_home}/.ssh/${_prefix}_${key_file}"
  $pubkey_path = "${_home}/.ssh/${_prefix}_${key_file}.pub"

  if $generate {
    pubkey::keygen { "keygen-${title}":
      user         => $_user,
      type         => $_type,
      path         => $path,
      privkey_path => $privkey_path,
      comment      => $_comment,
      size         => $size,
    }
  }

  if $export_key {
    include pubkey
    # Hardcoded, needs to be the same in facter code
    $cache_dir = '/var/cache/pubkey'

    file_line { "${_user}:${pubkey_path}":
      path    => "${cache_dir}/exported_keys",
      line    => "${_user}:${pubkey_path}",
      require => [File[$cache_dir], Class['Pubkey']],
    }

    # Load ssh public key for given local user
    # NOTE: we can't access remote disk from a compile server
    # and exported resources doesn't support Deferred objects
    if 'pubkey' in $facts and $_user in $facts['pubkey'] {
      $_key = $facts['pubkey'][$_user]
      if 'type' in $_key and 'key' in $_key {
        if !empty($_key['type']) and !empty($_key['key']) {
          @@ssh_authorized_key { "${title}@${hostname}":
            ensure => present,
            user   => $_target_user,
            type   => $_key['type'],
            key    => $_key['key'],
            tag    => $tags,
          }
        } else {
          warning("ssh_authorized_key type can't be empty: ${_key}")
        }
      }
    }
  }
}