sshkeys/manifests/setup_key_master.pp

# Create/regenerate/remove a key pair on the keymaster.
# This definition is private, i.e. it is not intended to be called
# directly by users. sshkeys::create_key calls it to create virtual
# keys, which are realized in sshkeys::keymaster.
define sshkeys::setup_key_master (
  $ensure,
  $force,
  $keytype,
  $length,
  $maxdays,
  $mindate
) {
  include sshkeys::var
  Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
  File {
    owner => puppet,
    group => puppet,
    mode  => 600,
  }

  $keydir = "${sshkeys::var::keymaster_storage}/${title}"
  $keyfile = "${keydir}/key"

  file {
    "$keydir":
      ensure => directory,
      mode   => 644;
    "$keyfile":
      ensure => $ensure;
    "${keyfile}.pub":
      ensure => $ensure,
      mode   => 644;
  }

  if $ensure == "present" {

    # Remove the existing key pair, if
    # * $force is true, or
    # * $maxdays or $mindate criteria aren't met, or
    # * $keytype or $length have changed

    $keycontent = file("${keyfile}.pub", "/dev/null")
    if $keycontent {

      if $force {
        $reason = "force=true"
      }
      if !$reason and $mindate and
         generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
        $reason = "created before ${mindate}"
      }
      if !$reason and $maxdays and
         generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
        $reason = "older than ${maxdays} days"
      }
      if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
        if $keytype != $1 {
          $reason = "keytype changed: $1 -> $keytype"
        } else {
          if $length != $2 {
            $reason = "length changed: $2 -> $length"
          }
        }
      }
      if $reason {
        exec { "Revoke previous key ${title}: ${reason}":
          command => "rm $keyfile ${keyfile}.pub",
          before  => Exec["Create key $title: $keytype, $length bits"],
        }
      }
    }

    # Create the key pair.
    # We "repurpose" the comment field in public keys on the keymaster to
    # store data about the key, i.e. $keytype and $length.  This avoids
    # having to rerun ssh-keygen -l on every key at every run to determine
    # the key length.
    exec { "Create key $title: $keytype, $length bits":
      command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
      user    => "puppet",
      group   => "puppet",
      creates => $keyfile,
      require => File[$keydir],
      before  => File[$keyfile, "${keyfile}.pub"],
    }
  }
}
1	# Create/regenerate/remove a key pair on the keymaster.
2	# This definition is private, i.e. it is not intended to be called
3	# directly by users. sshkeys::create_key calls it to create virtual
4	# keys, which are realized in sshkeys::keymaster.
5	define sshkeys::setup_key_master (
6	$ensure,
7	$force,
8	$keytype,
9	$length,
10	$maxdays,
11	$mindate
12	) {
13	include sshkeys::var
14	Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
15	File {
16	owner => puppet,
17	group => puppet,
18	mode => 600,
19	}
20
21	$keydir = "${sshkeys::var::keymaster_storage}/${title}"
22	$keyfile = "${keydir}/key"
23
24	file {
25	"$keydir":
26	ensure => directory,
27	mode => 644;
28	"$keyfile":
29	ensure => $ensure;
30	"${keyfile}.pub":
31	ensure => $ensure,
32	mode => 644;
33	}
34
35	if $ensure == "present" {
36
37	# Remove the existing key pair, if
38	# * $force is true, or
39	# * $maxdays or $mindate criteria aren't met, or
40	# * $keytype or $length have changed
41
42	$keycontent = file("${keyfile}.pub", "/dev/null")
43	if $keycontent {
44
45	if $force {
46	$reason = "force=true"
47	}
48	if !$reason and $mindate and
49	generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
50	$reason = "created before ${mindate}"
51	}
52	if !$reason and $maxdays and
53	generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
54	$reason = "older than ${maxdays} days"
55	}
56	if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
57	if $keytype != $1 {
58	$reason = "keytype changed: $1 -> $keytype"
59	} else {
60	if $length != $2 {
61	$reason = "length changed: $2 -> $length"
62	}
63	}
64	}
65	if $reason {
66	exec { "Revoke previous key ${title}: ${reason}":
67	command => "rm $keyfile ${keyfile}.pub",
68	before => Exec["Create key $title: $keytype, $length bits"],
69	}
70	}
71	}
72
73	# Create the key pair.
74	# We "repurpose" the comment field in public keys on the keymaster to
75	# store data about the key, i.e. $keytype and $length. This avoids
76	# having to rerun ssh-keygen -l on every key at every run to determine
77	# the key length.
78	exec { "Create key $title: $keytype, $length bits":
79	command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
80	user => "puppet",
81	group => "puppet",
82	creates => $keyfile,
83	require => File[$keydir],
84	before => File[$keyfile, "${keyfile}.pub"],
85	}
86	}
87	}