Puppet: Set the User's SSH Key
This is the third in a series of posts I’m making detailing my setting up a Puppet master/slave pair of servers on Linode. If you haven’t seen them yet, go check out my first and second posts about my Puppet servers.
Where I Left Off
At the end of the second post in the series, I had a Linode running Puppet, had Ubuntu Linux installed
on it, and had created a User named mike. I had also set mike’s password so that I could login as mike
on the slave node.
Here’s how the mike user was configured at the end of the last post:
user { "mike":
ensure => present,
gid => 'mike',
groups => [ 'sudo', 'users' ],
shell => '/usr/bin/fish',
home => '/home/mike',
managehome => true,
password => '$1$qH8newGR$4nApEG7NQHqLHYNLIEZlx0',
}
SSH Keys
SSH Keys are a more secure way to login to your servers, and it also doesn’t require you to either remember or type your password every single time.
Creating a Key Pair
Following the article, on my Mac laptop, I created an SSH key for use in this blog post:
mvitale@mavelous ~/.ssh> ssh-keygen -f mike-blog
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mike-blog.
Your public key has been saved in mike-blog.pub.
The key fingerprint is:
02:57:66:95:a7:4d:0a:c1:9d:42:da:ce:4b:b4:a3:dc mvitale@mavelous.local
The key's randomart image is:
+--[ RSA 2048]----+
| o*+.o |
| *+ + o |
| . o oo * |
| o + .o . |
| . S |
| . = o |
| o E |
| |
| |
+-----------------+
Note that if you don’t currently have an SSH key, you can leave off the -f mike-blog part. That just
sets the filename that will be used by the SSH key that it generates. Since I already had a key pair and
I didn’t want to use it for this post, I created another one with a distinct name.
Now, looking at my ~/.ssh directory on my laptop:
mvitale@mavelous ~/.ssh> ls
total 72
-rw------- 1 mvitale staff 225 May 28 2014 authorized_keys2
-rw-r--r-- 1 mvitale staff 38 Feb 20 12:00 config
-rw------- 1 mvitale staff 1675 May 28 2014 id_rsa
-rw------- 1 mvitale staff 404 May 29 2014 id_rsa.pub
-rw-r--r-- 1 mvitale staff 8766 Jun 4 07:16 known_hosts
-rw------- 1 mvitale staff 1675 Jun 8 22:09 mike-blog
-rw-r--r-- 1 mvitale staff 404 Jun 8 22:09 mike-blog.pub
Notice that two files were created: mike-blog and mike-blog.pub. The first is the Private Key, and the
second is the Public Key. (If you need a refresher on what that means, check out the Wikipedia page on
Public-Key Cryptography.) I’m now ready to move on to configuring this inside Puppet.
Enter Puppet
If I were to login to my user on my puppetslave node and check my home directory, I’d find it pretty bare:
mike@puppetslave ~> ls -laF
total 28
drwxr-xr-x 4 mike mike 4096 Jun 4 06:51 ./
drwxr-xr-x 3 root root 4096 Feb 28 13:13 ../
-rw-r--r-- 1 mike mike 220 Feb 28 13:13 .bash_logout
-rw-r--r-- 1 mike mike 3637 Feb 28 13:13 .bashrc
drwx------ 2 mike mike 4096 Jun 4 06:51 .cache/
drwx------ 3 mike mike 4096 Jun 4 06:51 .config/
-rw-r--r-- 1 mike mike 675 Feb 28 13:13 .profile
SSH Keys need to be stored in the ~/.ssh/authorized_keys2 file. That file needs to have 600 permissions,
and the ~/.ssh directory must have 700 permissions. Anything else, and your SSH Keys won’t work.
In order to accomplish this, I added the following to my /etc/manifest/site.pp file on my Puppet master node:
file { "/home/mike/.ssh":
ensure => 'directory',
owner => 'mike',
group => 'mike',
mode => '0700',
}
file { "/home/mike/.ssh/authorized_keys2":
ensure => 'present',
owner => 'mike',
group => 'mike',
mode => '0600',
content => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYYZ4Rr0RwagRxoc0IINCW+rN7WW/SdkVUUmYnPSWtA/GevM+Z4qizPRiJ4Lb/KTjQQ8Qu0eqlYRU6vAv+O5ewANzZC0Hl9tuclM0Hkzyh/BkiQQvmC9yEgwjJjPhX61tDryW7InHhqNgGP+OqjiJKSUB8sIQ+X82j2opa2ktt5ct9TomDEBvRTz0E4HjIbl0JDuRa+QlGbCGRiA4H+wkk7r7GUqp1fyVlyrH44Qs0k10KzntUj7vnXOI/FFKq65iwK/YbRWeG127neHCVdR0CxmkdNx7Cba+RGA0KfG0LDBBCoGCzST6lgZEbCHhy5CGxrjusUMBOMMiVrYOCHecR mvitale@mavelous.local',
}
Then, as last time, I ran Puppet manually on the slave node so that the configuration I just set in site.pp
would be applied:
[root@puppetslave ~]$ puppet agent --test
Info: Retrieving plugin
Info: Caching catalog for puppetslave.mavelo.us
Info: Applying configuration version '1433820752'
Notice: /Stage[main]/Main/Node[default]/File[/home/mike/.ssh]/ensure: created
Notice: /Stage[main]/Main/Node[default]/File[/home/mike/.ssh/authorized_keys2]/ensure: created
Notice: Finished catalog run in 0.10 seconds
No Password Required
After that, it was simply a matter of issuing an ssh command from my Mac laptop (and making sure to point
it to use the correct SSH key on the laptop) and I was able to login, no password required.
mvitale@mavelous ~/.ssh> ssh -i mike-blog mike@puppetslave.mavelo.us
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 4.0.4-x86_64-linode57 x86_64)
* Documentation: https://help.ubuntu.com/
63 packages can be updated.
24 updates are security updates.
Last login: Mon Jun 8 22:33:24 2015 from 64.197.174.144
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
mike@puppetslave ~>
Conclusion
This is about what I wanted to accomplish with my user on my Puppet slave node. There’s still much to explore. I’m not sure where I’m going next with this, as I have much to learn and many different directions I could head in. Watch this space, and please leave comments below!