https://www.puppet.com/community logo
Join Slack
Powered by
# voxpupuli
  • v
    you can also consider switching to a CA-based authentication or LDAP (though I'm hesitant to recommend LDAP)
  • v
    can't say I have experience with those in production, but if you're doing very custom things, perhaps you need to go all in
  • v
    was about to ask, what actually is your setup
  • v
    ewoud: yeah, i know
  • v
    i'm not sure you want to know :p
  • v
    there's LDAP involved, writing to /var/lib/misc/userkeys
  • v
    but that's besides the point
  • v
    this is solely puppet-managed keys, pretty straightforward stuff
  • v
    the twist is we don't want users to be able to modify their own keys
  • v
    so we write them in a centralized directory, /etc/ssh/puppetkeys, controlled by root
  • v
    i'm still not exactly clear on what autorequire gives me
  • v
    how are they then able to write to it?
  • v
    i will still need a require_resource thing
  • v
    they are not
  • v
    puppet writes to it
  • v
    I think the point is they have to update it in puppet
  • v
    yes
  • v
    I assume this is for service accounts mostly
  • v
    in fact, in this case, puppet both generates and writes those keys
  • v
    yes
  • v
    so what's your issue?
  • v
    (although, why not just stuff those in ldap?)
  • v
    the issue is that ssh_authorized_key makes this extremely hard
  • v
    Lumiere: because that requires manual changes
  • v
    puppet doesn't write to ldap
  • v
    the issue is that ssh_authorized_keys hardcode a 0600 mode
  • v
    which is "writable by the user", which is not what we want
  • v
    so puppet is building the keys too?
  • v
    yes
  • v
    isn't the owner the problem then?
1...625626627...648Latest