General discussion about Chef

[chef] RE: Distribute private ssh keys via users cookbook


Chronological Thread 
  • From: Kevin Keane (subscriptions) < >
  • To: < >
  • Subject: [chef] RE: Distribute private ssh keys via users cookbook
  • Date: Thu, 10 Jan 2013 03:51:02 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=sendgrid.info; h=subject :from:to:mime-version:content-type:in-reply-to:references :sender; q=dns; s=smtpapi; b=LHok5Zt6t98sh0EFrjmf9asBnJ+uLZZ593k h7dTDTaC81X82VD7zr5VMR/6u1bupv3Nao0H7AY1gb9VVp2Epu6e0Ax4NNILr8H9 ujVbNcbjui33J8QfArR27m5U/lO+dNj/NFPx+JV4MgNSmN2gJP3+6ObFvKIfkJ55 25G0Q9cs=
Title: RE: [chef] Distribute private ssh keys via users cookbook

It seems to me that there might be a problem with what you are trying to accomplish in the first place. When you distribute private SSH keys through *any* means, you have a security problem. Doesn't matter if you are using encrypted databags, or even manually copy the keys over. Unless they are your own personal keys, it defeats the very concept behind public key encryption - and if they *are* your personal keys, you should only manually copy them, not put them in an automated distribution system.

 

Once generated, private SSH keys should never leave that user's control. You can use chef to distribute the corresponding public keys - and you don't even need an encrypted databag. Public keys are not sensitive; you can leave them unencrypted.

 

If your users are humans, have them generated their SSH key pairs, and create a databag with all the public keys that you want to distribute. Hint: the users cookbook already has a mechanism built in to do that.

 

If you need SSH key pairs for some automated tasks (say, a cron script doing a nightly rsync), generate a *new* key pair, and store only the public key in a node attribute. You can use an execute or script resource to generate the key pair; just make sure to check if the key may already exist (you don't want to clobber an already-existing key pair).
 

On the SSH client side, you'd extract all the relevant public keys from your databag or node attributes, and add them to the authorized_keys file as needed.

 

-----Original message-----
From: Cassiano Leal < >
Sent: Wed 01-09-2013 11:40 am
Subject: [chef] Distribute private ssh keys via users cookbook
To: ;
Hi!
 
Is there a way to securely distribute private ssh keys through the users community cookbook?
 
In my setup I have a user deploy that will fetch from git, and I need that user to have a SSH key that's authorized on the git repo. I saw that the users cookbook will use "ssh_private_key" and "ssh_public_key" data bag items, but those would be unencrypted, so not secure.
 
If people are using a different approach, I'd like to hear about that too.
 
Thanks!
-- 
Cassiano Leal
 

Archive powered by MHonArc 2.6.16.

§