Mercurial > repos > other > Puppet
diff modules/sshkeys_core/REFERENCE.md @ 478:adf6fe9bbc17
Update Puppet modules to latest versions
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Thu, 29 Aug 2024 18:47:29 +0100 |
| parents | 750d36241580 |
| children |
line wrap: on
line diff
--- a/modules/sshkeys_core/REFERENCE.md Tue Aug 27 13:35:17 2024 +0100 +++ b/modules/sshkeys_core/REFERENCE.md Thu Aug 29 18:47:29 2024 +0100 @@ -1,38 +1,24 @@ # Reference +<!-- DO NOT EDIT: This document was generated by Puppet Strings --> + +## Table of Contents + +### Resource types + +* [`ssh_authorized_key`](#ssh_authorized_key): Manages SSH authorized keys. Currently only type 2 keys are supported. +* [`sshkey`](#sshkey): Installs and manages ssh host keys. + ## Resource types -* [`ssh_authorized_key`](#ssh_authorized_key): Manages SSH authorized keys. Currently only type 2 keys are supported. In their native habitat, SSH keys usually appear as a single long lin -* [`sshkey`](#sshkey): Installs and manages ssh host keys. By default, this type will install keys into `/etc/ssh/ssh_known_hosts`. To manage ssh keys in a differe -## Resource types -### ssh_authorized_key - -Manages SSH authorized keys. Currently only type 2 keys are supported. +### <a name="ssh_authorized_key"></a>`ssh_authorized_key` In their native habitat, SSH keys usually appear as a single long line, in the format `<TYPE> <KEY> <NAME/COMMENT>`. This resource type requires you -to split that line into several attributes. Thus, a key that appears in -your `~/.ssh/id_rsa.pub` file like this... - - ssh-rsa AAAAB3Nza[...]qXfdaQ== nick@magpie.example.com - -...would translate to the following resource: - - ssh_authorized_key { 'nick@magpie.example.com': - ensure => present, - user => 'nick', - type => 'ssh-rsa', - key => 'AAAAB3Nza[...]qXfdaQ==', - } +to split that line into several attributes. To ensure that only the currently approved keys are present, you can purge -unmanaged SSH keys on a per-user basis. Do this with the `user` resource -type's `purge_ssh_keys` attribute: - - user { 'nick': - ensure => present, - purge_ssh_keys => true, - } +unmanaged SSH keys on a per-user basis. This will remove any keys in `~/.ssh/authorized_keys` that aren't being managed with `ssh_authorized_key` resources. See the documentation of the @@ -42,6 +28,36 @@ SSH key should be installed, the `ssh_authorized_key` resource will autorequire that user. +#### Examples + +##### Thus, a key that appears in your `~/.ssh/id_rsa.pub` file like this... + +```puppet + +ssh-rsa AAAAB3Nza[...]qXfdaQ== nick@magpie.example.com +``` + +##### ...would translate to the following resource: + +```puppet + +ssh_authorized_key { 'nick@magpie.example.com': + ensure => present, + user => 'nick', + type => 'ssh-rsa', + key => 'AAAAB3Nza[...]qXfdaQ==', +} +``` + +##### Do this with the `user` resource type's `purge_ssh_keys` attribute: + +```puppet + +user { 'nick': + ensure => present, + purge_ssh_keys => true, +} +``` #### Properties @@ -49,19 +65,11 @@ ##### `ensure` -Valid values: present, absent +Valid values: `present`, `absent` The basic property that the resource should be in. -Default value: present - -##### `type` - -Valid values: ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, dsa, ed25519, rsa - -Aliases: "dsa"=>"ssh-dss", "ed25519"=>"ssh-ed25519", "rsa"=>"ssh-rsa" - -The encryption type used. +Default value: `present` ##### `key` @@ -75,10 +83,20 @@ * Key identifiers / comments, such as 'joe@joescomputer.local' --- put these in the `name` attribute/resource title. -##### `user` +##### `options` + +Key options; see sshd(8) for possible values. Multiple values +should be specified as an array. For example, you could use the +following to install a SSH CA that allows someone with the +'superuser' principal to log in as root -The user account in which the SSH key should be installed. The resource -will autorequire this user if it is being managed as a `user` resource. + ssh_authorized_key { 'Company SSH CA': + ensure => present, + user => 'root', + type => 'ssh-ed25519', + key => 'AAAAC3NzaC[...]CeA5kG', + options => [ 'cert-authority', 'principals=\"superuser\"' ], + } ##### `target` @@ -88,28 +106,41 @@ `~user/.ssh/authorized_keys`. The parent directory must be present if the target is in a privileged path. -Default value: absent +Default value: `absent` -##### `options` +##### `type` + +Valid values: `ssh-dss`, `ssh-rsa`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519@openssh.com`, `ssh-rsa-cert-v01@openssh.com`, `ssh-ed25519-cert-v01@openssh.com`, `ssh-dss-cert-v01@openssh.com`, `ecdsa-sha2-nistp256-cert-v01@openssh.com`, `ecdsa-sha2-nistp384-cert-v01@openssh.com`, `ecdsa-sha2-nistp521-cert-v01@openssh.com`, `dsa`, `ed25519`, `rsa`, `ecdsa-sk`, `ed25519-sk` -Key options; see sshd(8) for possible values. Multiple values -should be specified as an array. For example, you could use the -following to install a SSH CA that allows someone with the -'superuser' principal to log in as root +Aliases: `"dsa"=>"ssh-dss", "ed25519"=>"ssh-ed25519", "rsa"=>"ssh-rsa", "ecdsa-sk"=>"sk-ecdsa-sha2-nistp256@openssh.com", "ed25519-sk"=>"sk-ssh-ed25519@openssh.com"` + +The encryption type used. - ssh_authorized_key { 'Company SSH CA': - ensure => present, - user => 'root', - type => 'ssh-ed25519', - key => 'AAAAC3NzaC[...]CeA5kG', - options => [ 'cert-authority', 'principals="superuser"' ], - } +##### `user` + +The user account in which the SSH key should be installed. The resource +will autorequire this user if it is being managed as a `user` resource. #### Parameters The following parameters are available in the `ssh_authorized_key` type. -##### `name` +* [`drop_privileges`](#-ssh_authorized_key--drop_privileges) +* [`name`](#-ssh_authorized_key--name) +* [`provider`](#-ssh_authorized_key--provider) + +##### <a name="-ssh_authorized_key--drop_privileges"></a>`drop_privileges` + +Valid values: `true`, `false`, `yes`, `no` + +Whether to drop privileges when writing the key file. This is +useful for creating files in paths not writable by the target user. Note +the possible security implications of managing file ownership and +permissions as a privileged user. + +Default value: `true` + +##### <a name="-ssh_authorized_key--name"></a>`name` namevar @@ -120,23 +151,17 @@ if you want to specify one key for multiple users, you must use a different comment for each instance. -##### `drop_privileges` +##### <a name="-ssh_authorized_key--provider"></a>`provider` -Whether to drop privileges when writing the key file. This is -useful for creating files in paths not writable by the target user. Note -the possible security implications of managing file ownership and -permissions as a privileged user. - -Default value: `true` +The specific backend to use for this `ssh_authorized_key` resource. You will seldom need to specify this --- Puppet will +usually discover the appropriate provider for your platform. -### sshkey +### <a name="sshkey"></a>`sshkey` -Installs and manages ssh host keys. By default, this type will -install keys into `/etc/ssh/ssh_known_hosts`. To manage ssh keys in a -different `known_hosts` file, such as a user's personal `known_hosts`, -pass its path to the `target` parameter. See the `ssh_authorized_key` -type to manage authorized keys. - +By default, this type will install keys into `/etc/ssh/ssh_known_hosts`. +To manage ssh keys in a different `known_hosts` file, such as a user's personal +`known_hosts`, pass its path to the `target` parameter. See the +`ssh_authorized_key` type to manage authorized keys. #### Properties @@ -144,19 +169,16 @@ ##### `ensure` -Valid values: present, absent +Valid values: `present`, `absent` The basic property that the resource should be in. -Default value: present - -##### `type` +Default value: `present` -Valid values: ssh-dss, ssh-ed25519, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, dsa, ed25519, rsa +##### `host_aliases` -Aliases: "dsa"=>"ssh-dss", "ed25519"=>"ssh-ed25519", "rsa"=>"ssh-rsa" - -The encryption type used. Probably ssh-dss or ssh-rsa. +Any aliases the host might have. Multiple values must be +specified as an array. ##### `key` @@ -170,11 +192,6 @@ * Key identifiers / comments, such as 'joescomputer.local' --- put these in the `name` attribute/resource title. -##### `host_aliases` - -Any aliases the host might have. Multiple values must be -specified as an array. - ##### `target` The file in which to store the ssh key. Only used by @@ -184,10 +201,28 @@ The following parameters are available in the `sshkey` type. -##### `name` +* [`name`](#-sshkey--name) +* [`provider`](#-sshkey--provider) +* [`type`](#-sshkey--type) + +##### <a name="-sshkey--name"></a>`name` namevar The host name that the key is associated with. +##### <a name="-sshkey--provider"></a>`provider` +The specific backend to use for this `sshkey` resource. You will seldom need to specify this --- Puppet will usually +discover the appropriate provider for your platform. + +##### <a name="-sshkey--type"></a>`type` + +Valid values: `ssh-dss`, `ssh-ed25519`, `ssh-rsa`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `sk-ecdsa-sha2-nistp256@openssh.com`, `sk-ssh-ed25519@openssh.com`, `dsa`, `ed25519`, `rsa`, `ecdsa-sk`, `ed25519-sk` + +namevar + +Aliases: `"dsa"=>"ssh-dss", "ed25519"=>"ssh-ed25519", "rsa"=>"ssh-rsa", "ecdsa-sk"=>"sk-ecdsa-sha2-nistp256@openssh.com", "ed25519-sk"=>"sk-ssh-ed25519@openssh.com"` + +The encryption type used. Probably ssh-dss or ssh-rsa. +