RE: private keys

Generally, with SSH keys you want to generate them where the private key is used. I would use a bash resource (assuming the node is Linux/Unix, of course) to call ssh-keygen. Have it put the private key into the correct place.

You can then copy the public key into an attribute on the node, and use that attribute in turn on the destination nodes.

Of course you can also use scp to copy the public key where it is needed, but that would mean more shell scripting and less chef.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: K. Adam Wolfe kadamwolfe@gmail.com
Sent: Wednesday 2nd September 2015 8:46
To: chef@lists.opscode.com
Subject: [chef] private keys

Hello, all.

What is the opscode-recommended method for managing ssh keys - private
keys in particular?

My aim is to create the rsa keypairs on source nodes, then have the pub
key added to another user’s authorized_keys on destination nodes;
preferably in databags / encrypted. Ideally having unique keypairs for
each source node.

Strange. I see the 'users' and 'ssh-keys' cookbooks out there, but they
only seem to deal with authorized_keys file and pub keys, not managing
the private keys which is where I'm getting stuck.

I thought creating a template from a databag with the priv key in it
would suffice, but I'm having issues populating a file's content with
the item in the databag. My assumption is I am going about this in a
completely wrong way.

On 09/02/2015 11:31 AM, Kevin Keane Subscription wrote:

RE: [chef] private keys

Generally, with SSH keys you want to generate them where the private
key is used. I would use a bash resource (assuming the node is
Linux/Unix, of course) to call ssh-keygen. Have it put the private key
into the correct place.

You can then copy the public key into an attribute on the node, and
use that attribute in turn on the destination nodes.

Of course you can also use scp to copy the public key where it is
needed, but that would mean more shell scripting and less chef.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
*From:* K. Adam Wolfe <kadamwolfe@gmail.com>
*Sent:* Wednesday 2nd September 2015 8:46
*To:* chef@lists.opscode.com
*Subject:* [chef] private keys

Hello, all.

What is the opscode-recommended method for managing ssh keys  - private
keys in particular?

My aim is to create the rsa keypairs on source nodes, then have the pub
key added to another user's authorized_keys on destination nodes;
preferably in databags / encrypted.  Ideally having unique keypairs for
each source node.

I don't know if it's a great idea to put private keys in data bags, even
encrypted data bags, but if it fits your use case, the users cookbook
definitely supports private keys, it's just not documented for whatever
reason.
https://github.com/opscode-cookbooks/users/blob/master/providers/manage.rb#L131-L141

On Wed, Sep 2, 2015 at 12:54 PM, K. Adam Wolfe kadamwolfe@gmail.com wrote:

Strange. I see the 'users' and 'ssh-keys' cookbooks out there, but they
only seem to deal with authorized_keys file and pub keys, not managing the
private keys which is where I'm getting stuck.

I thought creating a template from a databag with the priv key in it would
suffice, but I'm having issues populating a file's content with the item in
the databag. My assumption is I am going about this in a completely wrong
way.

On 09/02/2015 11:31 AM, Kevin Keane Subscription wrote:

Generally, with SSH keys you want to generate them where the private key
is used. I would use a bash resource (assuming the node is Linux/Unix, of
course) to call ssh-keygen. Have it put the private key into the correct
place.

You can then copy the public key into an attribute on the node, and use
that attribute in turn on the destination nodes.

Of course you can also use scp to copy the public key where it is needed,
but that would mean more shell scripting and less chef.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: K. Adam Wolfe kadamwolfe@gmail.com kadamwolfe@gmail.com
Sent: Wednesday 2nd September 2015 8:46
To: chef@lists.opscode.com
Subject: [chef] private keys

Hello, all.

What is the opscode-recommended method for managing ssh keys - private
keys in particular?

My aim is to create the rsa keypairs on source nodes, then have the pub
key added to another user's authorized_keys on destination nodes;
preferably in databags / encrypted. Ideally having unique keypairs for
each source node.

that is exactly what I was looking for. many thanks.

On 09/02/2015 12:27 PM, Fabien Delpierre wrote:

I don't know if it's a great idea to put private keys in data bags,
even encrypted data bags, but if it fits your use case, the users
cookbook definitely supports private keys, it's just not documented
for whatever reason.
https://github.com/opscode-cookbooks/users/blob/master/providers/manage.rb#L131-L141

On Wed, Sep 2, 2015 at 12:54 PM, K. Adam Wolfe <kadamwolfe@gmail.com
mailto:kadamwolfe@gmail.com> wrote:

Strange.  I see the 'users' and 'ssh-keys' cookbooks out there,
but they only seem to deal with authorized_keys file and pub keys,
not managing the private keys which is where I'm getting stuck.

I thought creating a template from a databag with the priv key in
it would suffice, but I'm having issues populating a file's
content with the item in the databag.  My assumption is I am going
about this in a completely wrong way.







On 09/02/2015 11:31 AM, Kevin Keane Subscription wrote:

Generally, with SSH keys you want to generate them where the
private key is used. I would use a bash resource (assuming the
node is Linux/Unix, of course) to call ssh-keygen. Have it put
the private key into the correct place.

You can then copy the public key into an attribute on the node,
and use that attribute in turn on the destination nodes.

Of course you can also use scp to copy the public key where it is
needed, but that would mean more shell scripting and less chef.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html


    -----Original message-----
    *From:* K. Adam Wolfe <kadamwolfe@gmail.com>
    <mailto:kadamwolfe@gmail.com>
    *Sent:* Wednesday 2nd September 2015 8:46
    *To:* chef@lists.opscode.com <mailto:chef@lists.opscode.com>
    *Subject:* [chef] private keys

    Hello, all.

    What is the opscode-recommended method for managing ssh keys  - private
    keys in particular?

    My aim is to create the rsa keypairs on source nodes, then have the pub
    key added to another user's authorized_keys on destination nodes;
    preferably in databags / encrypted.  Ideally having unique keypairs for
    each source node.

The “users” cookbook doesn’t support private SSH keys well. data bags well. It stores them in unencrypted data bags and has no leverage for activating keys without setting all characteristics for that account. Coupled with its insistence on creating and overriding $HOME/.ssh ownership and it’s quite unsuitable for many locked down environments where users should not have write access to their authorized_keys. That especially includes public keys for git or svn+ssh access.

Nico Kadel-Garcia
Email: nkadel@gmail.commailto:kadel@gmail.com
Sent from iPhone

On Sep 2, 2015, at 13:28, “Fabien Delpierre” <fabien.delpierre@gmail.commailto:fabien.delpierre@gmail.com> wrote:

I don’t know if it’s a great idea to put private keys in data bags, even encrypted data bags, but if it fits your use case, the users cookbook definitely supports private keys, it’s just not documented for whatever reason.
https://github.com/opscode-cookbooks/users/blob/master/providers/manage.rb#L131-L141

On Wed, Sep 2, 2015 at 12:54 PM, K. Adam Wolfe <kadamwolfe@gmail.commailto:kadamwolfe@gmail.com> wrote:
Strange. I see the ‘users’ and ‘ssh-keys’ cookbooks out there, but they only seem to deal with authorized_keys file and pub keys, not managing the private keys which is where I’m getting stuck.

I thought creating a template from a databag with the priv key in it would suffice, but I’m having issues populating a file’s content with the item in the databag. My assumption is I am going about this in a completely wrong way.

On 09/02/2015 11:31 AM, Kevin Keane Subscription wrote:

Generally, with SSH keys you want to generate them where the private key is used. I would use a bash resource (assuming the node is Linux/Unix, of course) to call ssh-keygen. Have it put the private key into the correct place.

You can then copy the public key into an attribute on the node, and use that attribute in turn on the destination nodes.

Of course you can also use scp to copy the public key where it is needed, but that would mean more shell scripting and less chef.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: K. Adam Wolfe kadamwolfe@gmail.commailto:kadamwolfe@gmail.com
Sent: Wednesday 2nd September 2015 8:46
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] private keys

Hello, all.

What is the opscode-recommended method for managing ssh keys - private
keys in particular?

My aim is to create the rsa keypairs on source nodes, then have the pub
key added to another user’s authorized_keys on destination nodes;
preferably in databags / encrypted. Ideally having unique keypairs for
each source node.