Manage Keys with Puppet for puppet-vcsrepo

About

Asked 8/8, 2012 at 5:53 Answered 26/12, 2013 at 7:19

I'm setting up some server configuration in my company and we have some internal repositories that run over ssh through bzr that I need to get. I wanted to use puppet-vcsrepo to pull these in and I saw that it has a way we can use a keyfile to get what we want. What is the best way to go about this?

I'm probably going to make a user account for each of us, but do I have to put my private key into puppet as a file and then transfer it over? How do I manage keys inside of puppet so I can checkout repositories ssh without using username and password?

Here is a link to the information: https://github.com/puppetlabs/puppetlabs-vcsrepo/blob/master/README.BZR.markdown

It says to manage keys with puppet, but I couldn't exactly find what I need to know in order to manage the keys correctly.

Cons answered 8/8, 2012 at 5:53 Comment(2)

I don't know the answer but I can tell you one thing: private keys are not meant to be copied across PCs, ever. Any solution that proposes copying private keys stinks. – Quirinal 10/8, 2012 at 15:55

That's the ONLY and best solution I could find to solve my problem. I have to copy the key into root's home directory. – Cons 15/8, 2012 at 3:27

Don't know much about BZR... will answer as if it was a git/github based question

If you are github based, use deploy keys (readonly access, easily revokable) and not a developer key.
You can manage the key by copying them in ~/.ssh and configure ssh to use it ?


file { '/user/home/.ssh/id_rsa-github-mycompany' :
 ... # access right ....
}

vcsrepo { "/path/to/repo":
  ...
  require => File[ '/user/home/.ssh']
}

you may need to tweek also the .ssh/config to use this identify file and modify the host name of the git repository


Host github-mycompany-project
HostName github.com
  User git
  PreferredAuthentications publickey
  IdentityFile ~/.ssh/id_rsa-github-mycompany
  IdentitiesOnly yes

Another option use an exec and the git_ssh_wrapper gem instead of vcsrepo ?

Exponent answered 26/12, 2013 at 7:19 Comment(3)

Is there a readonly access for ssh? I guess I can create a git user and change their shell? – Cons 26/12, 2013 at 10:39

you can keep your dev key (I don't know the role of your server,if it's a ci, it problably have this kind of access rights). For bazaar readonly access found this : doc.bazaar.canonical.com/latest/en/admin-guide/security.html ? – Exponent 26/12, 2013 at 13:17

I'll think of another way to do this. In the meantime, thanks for your help. – Cons 27/12, 2013 at 1:58

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags