5

I'm new to Puppet (open source version) and have a relatively straightforward question.

When I bring up a new host, I'd like the puppetmaster to add the new host's public rsa key to /etc/ssh/ssh_known_hosts, and so the updated ssh_known_hosts file will be available to be pulled down by puppet agents.

I've tried the sshkey resource:

# /etc/puppet/modules/ssh/manifests/client.pp

sshkey { $hostname:
    ensure => present,
    type => "rsa",
    key  => $sshrsakey,
}

However, ssh_known_hosts does not appear to be modified on the puppetmaster, or agent for that matter. My manifest passes syntax validation when I run puppet parser validate client.pp and running puppet agent --test on the agent does not report any issues.

Do I have to have Stored Configs set up in order to use the sshkey resource? I like the features of Stored Configs, but it seems like overkill for what I need and seems to add lots of overhead. My other option is to spit the $sshrsakey fact to a file, but it will need to check for the existence of the public key so it doesn't get added more than once.

Banjer
  • 3,854
  • 11
  • 40
  • 47
  • If you're not using PuppetDB (the next generation of Storeconfigs), you might want to look at that. http://puppetlabs.com/blog/introducing-puppetdb-put-your-data-to-work The API given in the above answer doesn't change, but you'll get a performance gain. Note that this requires Puppet 2.7.12 or higher. – stahnma May 22 '12 at 17:23
  • Wow that was literally released the other day. Thanks for the tip, I'm sure I'll be making use of puppetdb. – Banjer May 22 '12 at 20:25

1 Answers1

8

Yes, you need to have stored configs enabled.

On each host, you'll want to collect the keys into the stored configs database (note the @@):

@@sshkey { $hostname:
    ensure => present,
    type => "rsa",
    key  => $sshrsakey,
}

Then, you'll want to write them to the file on each host as well.

Sshkey <<| |>>
Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • Thanks Jeff. Can I have other host entries in ssh_known_hosts that are not managed by Puppet? I'm just wondering how Puppet manages this file and if it gets overwritten with nothing but Puppet agent keys. I'm sure I can answer it myself once I do some testing with PuppetDB here shortly, but that may be a few days before I get into it. – Banjer May 22 '12 at 20:30
  • 1
    @Banjer see http://docs.puppetlabs.com/references/stable/type.html#sshkey. Further, it only edits the file to add or remove (`ensure => absent`) the related line. It will not clobber the file by default, so you should be able to add any other keys you wish outside of Puppet if you desire. – Jeff Ferland May 22 '12 at 21:01
  • It clobbered my file. (*restoring from backup*) – ewwhite Mar 31 '14 at 03:45