Ssh – Install single SSH key multiple times on single machine via puppet

puppetssh

I want to have one place where I have defined ssh keys for my users. These users can be in different (multiple) roles on single server. So I defined ssh_authorized_key as virtual and then wanted to realize them in different roles. Example:

@ssh_authorized_key {
    "user_a":
        tag     => ['deployer', 'developer', 'root'],
        key     => "xxx",
        type    => "ssh-dss",
        ensure  => present;
    "user_b":
        tag     => ['deployer', 'root'],
        key     => "yyy",
        type    => "ssh-dss",
        ensure  => present;
    "user_c":
        tag      => ['root', 'deployer'],
        key      => 'zzz',
        type => "ssh-rsa",
        ensure   => present;
}

And then realize them for multiple users on single node:

Ssh_authorized_key<| tag == 'root' |> {
    user    => 'root'
}

Ssh_authorized_key<| tag == 'deployer' |> {
    user    => 'deployer'
}

But puppet will install the certificates only for one user. I think that main concept of my solution is wrong. But I can't figure out how to install single certificate to multiple users?

Best Answer

You are correct that the main concept of your solution is wrong, but I think it is wrong far earlier than you suspect. The best practice is to not share accounts; each user should have an individual account and use sudo to perform tasks that require alternate privileges. If you honestly must share one or more accounts, then allow your users to sudo su - ACCOUNT instead of logging in directly as ACCOUNT. For example:

user { 'alice': groups => ['developer', 'deployer', 'root'] # other params... }
ssh_authorized_key { 'alice': #params }

Then add appropriate entries in your /etc/sudoers (also hopefully managed by puppet!):

# deployer group can run the deployment script without a password.
%deployer  ALL = NOPASSWD: /usr/local/bin/deploy
# developer group can run commands as 'developer'
%developer ALL = (developer) ALL
# or, if you actually *must* allow them to log in as 'developer'
%developer ALL = /usr/bin/su developer

Related Solutions

Ssh – way to SSH / SCP to another server as a different user, via a script

"Corporate S(tupidity)" :-)

SSH / SCP generally lives with the realm of UNIX philosophy I think. It is very rare that the designers of Unix applications intentionally make it so the administrator can't easily do something stupid. There will be generally be a warning like: "You probably don't want to do this because ... but, if you really want to, fine!".

In the case of passing a password to ssh in a script, they intentionally make this difficult, because it just such a bad idea.

At this point, I wouldn't even bother with SSH. You really need to talk with the corporate security people and come up with a real solution for the scenario. If they don't want to use keys, ask them what you should do. If that doesn't work, tell your managers what they want can't be done due to corporate security restrictions. If the managers do insist that you do this, get it in writing, or it is your ass on the line

SSH Key – How to Create a Public Key from a Private Key

Use the -y option to ssh-keygen:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

From the 'man ssh-keygen'

 -y      This option will read a private OpenSSH format file and print an
         OpenSSH public key to stdout.

Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.

Best Answer

Related Solutions

Ssh – way to SSH / SCP to another server as a different user, via a script

SSH Key – How to Create a Public Key from a Private Key

Related Topic