generate ssh host keys for clients on puppetmaster

I look for a solution to create the ssh host keys for my puppet clients on the puppetmaster.
I did some research and found http://jsosic.wordpress.com/2012/12/04/managing-ssh-host-keys-with-puppet/, but I couldn’t get it working. Is there a more elegant solution to handle that or a full example of that?

I know it’s possible to generate the host keys on the clients and back them up to the puppetmaster, but I’d really prefer to generate them directly on the master.

Edit:

I created a module ‘ssh’.

The content of init.pp is:

class ssh::server {
  if generate('/etc/puppet/modules/ssh/scripts/generate_host_keys.sh',
$keys_dir) {
    include ssh::server::keys
  }
}

class ssh::server::keys {
  file { '/etc/ssh/ssh_host_rsa_key.pub':
    ensure  => file,
    owner   => root,
    group   => root,
    mode    => '0644',
    source  => [
      'puppet:///private/ssh/ssh_host_rsa_key.pub',
      'puppet:///modules/ssh/ssh_host_rsa_key.pub',
    ],
    require => Package['openssh-server'],
    notify  => Service[$service_name],
  }
}

The content of the generate_host_keys.sh is the following:

#!/bin/bash

# check arg0: dir for keys
[ -z "$1" ] && echo "Please specify directory for key generation" && exit 1
KEYSDIR="$1"

# set umask
umask 0022

# create directory tree if it does not exist
[ ! -d "$KEYSDIR" ] && mkdir -p $KEYSDIR

#
# functions stolen from CentOS 6 sshd init script
#

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
RSA1_KEY=$1/ssh_host_key
RSA_KEY=$1/ssh_host_rsa_key
DSA_KEY=$1/ssh_host_dsa_key

# source function library
. /etc/rc.d/init.d/functions

fips_enabled() {
  if [ -r /proc/sys/crypto/fips_enabled ]; then
    cat /proc/sys/crypto/fips_enabled
  else  
    echo 0
  fi
}

do_rsa1_keygen() {
  if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
    echo -n $"Generating SSH1 RSA host key: "
    rm -f $RSA1_KEY
    if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
      chmod 600 $RSA1_KEY
      chmod 644 $RSA1_KEY.pub
      success $"RSA1 key generation"
      echo
    else  
      failure $"RSA1 key generation"
      echo
      exit 1
    fi
  fi
}

do_rsa_keygen() {
  if [ ! -s $RSA_KEY ]; then
    echo -n $"Generating SSH2 RSA host key: "
    rm -f $RSA_KEY
    if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
      chmod 600 $RSA_KEY
      chmod 644 $RSA_KEY.pub
      success $"RSA key generation"
      echo
    else 
      failure $"RSA key generation"
      echo
      exit 1
    fi
  fi
}

do_dsa_keygen() {
  if [ ! -s $DSA_KEY ]; then
    echo -n $"Generating SSH2 DSA host key: "
    rm -f $DSA_KEY
    if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
      chmod 600 $DSA_KEY
      chmod 644 $DSA_KEY.pub
      success $"DSA key generation"
      echo
    else
      failure $"DSA key generation"
      echo
      exit 1
    fi
  fi
}

# main
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
chmod -R 644 $KEYSDIR/*
exit 0

manifests/site.pp looks like that

node { 'mynode':
  include ssh::server
}

Running puppet agent –test on the client produce the following output:

Info: Retrieving plugin
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to execute generator /etc/puppet/modules/ssh/scripts/generate_host_keys.sh: Execution of '/etc/puppet/modules/ssh/scripts/generate_host_keys.sh ' returned 1:  at /etc/puppet/modules/ssh/manifests/init.pp:2 on node nodename
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Thanks,

Paul

Related:

HTTP streaming server behind nginx?

I’m trying to set up a HTTP streaming server I wrote with Tornado and python. Basically, it keeps the connection alive and occasionally flushes information out. It’s a bit like long polling, except the connection isn’t broken by the server.

Is it possible to put something like this behind nginx? I’m testing it from my browser, and I can’t see any output until the server breaks the connection, then it’s all sent at once.

Related: