Linux – generating ssh-keys for a non root user with salt

linuxsaltstackssh-keys

I need to generate ssh-keys(public/private pair) for a user say helen. This user is already in all my salt minions. How do I generate ssh keys for this user from my salt master?

For root user I generated the keys using this command and it worked fine:

salt '*application-server-*' cmd.run "ssh-keygen -q -N '' -f /root/.ssh/id_rsa"

I can issue the following command which can generate ssh-keys for helen; but the permissions and ownerships will be different; so need to issue commands again to correct permissions and ownerships:

salt '*application-server-*' cmd.run "ssh-keygen -q -N '' -f /home/helen/.ssh/id_rsa"

Is there any way in salt to run this command as user helen instead of root?

In general, is there a way in salt to run a command as a non root user?

Best Answer

Using the `salt` command

salt '*application-server-*' cmd.run \
    "ssh-keygen -q -N '' -f /home/helen/.ssh/id_rsa" \
    runas=helen

http://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run

Using a state

You can specify the user when using the cmd state by setting the runas to the user name to run the command as:

generate_ssh_key_helen:
  cmd.run:
    - name: ssh-keygen -q -N '' -f /home/helen/.ssh/id_rsa
    - runas: helen
    - unless: test -f /home/helen/.ssh/id_rsa

http://docs.saltstack.com/en/latest/ref/states/all/salt.states.cmd.html#salt.states.cmd.run

Related Solutions

Linux – ssh-keygen works for root only

Check permissions on the remote system:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

There is a tool that could be installed in your dist (ubuntu/debian has it) called: ssh-copy-id which will do this for you:

$ ssh-copy-id <remote>

If that doesn't work try ssh with option "-v" to see more verbose messages.

Long version:

#From client to server
client$ scp ~/.ssh/id_rsa.pub remote_server.org:

# next, setup the public key on server
server$ mkdir ~/.ssh
server$ chmod 700 ~/.ssh
server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
server$ chmod 600 ~/.ssh/authorized_keys
server$ rm ~/id_rsa.pub

How to use Salt Stack with minions all behind NAT (not publicly accessible, default salt ports not open)

The answer is "it just works." There is no need to change the configuration files (of either master or minion). There is no need to worry about NAT or firewalls for the minions.

However, on the master, two ports need to be opened on the firewall. I accomplished this with:

iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4505 -j ACCEPT
iptables -A INPUT -m state --state new -m tcp -p tcp --dport 4506 -j ACCEPT

On the minions, add an entry to /etc/hosts pointing the name "salt" to the master's IP address. Example:

root@minion2:~# cat /etc/hosts
127.0.0.1       localhost.localdomain   localhost
111.222.333.444  salt salt.example.com

Really, it is very simple.