blob: e5f72e9028263436a36dd02845cb9e9cacca9156 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
The monkeysphere puppet module is designed to help you manage your servers
and users using the monkeysphere[0].
To install the monkeypshere module, storeconfigs should be enabled in
your puppet server to use certain features. See:
http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs
Example usage for server setup:
# Assuming you are using the sshd puppet module...
$sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u"
include sshd
# Optionally, indicate your preferred keyserver. You can specify a server
# under your control and not accessible to the public or
# pool.sks-keyservers.net if you want to publish to the public pool. The
# value you specify here will be used for all monkeysphere and gpg commands
$monkeysphere_keyserver = "zimmermann.mayfirst.org"
include monkeysphere
# Ensure the server's ssh key is imported into your monkeysphere key ring
monkeysphere::import_key { "main": }
# Optionally publish the server key to a keyserver (as indicated above)
monkeysphere::publish_server_keys { "main": }
# Optionally email the server key to your self
monkeysphere::email_server_keys { "we@ourdomain.org": }
# Be sure to sign the server's key!
# Indiciate the fingerprint of the gpg key that should be used
# to verify user ids. You can repeat this for as many certifiers
# as you need
monkeysphere::add_id_certifier { "jamie":
keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935"
}
# Indicate who should have root access on the server
monkeysphere::authorized_user_ids { "root":
user_ids => [ "sarah <sarah@ourgroup.org>" , "jose <josue@ourgroup.org" ]
}
In addition, you may want to create a password-less key for a user to use
when logging into another server (e.g. if you want automated backups from
one server to another).
Example usage for user setup:
# Ensure that the root user has authentication capable
# monkeysphere key
monkeysphere::auth_capable_user { "root": }
# Optionally publish the key
monkeysphere::publish_user_key { "root": }
# Grant full trust to a gpg key so the root user can properly
# authenticate servers to which it connects
# You can run this as many times as you want
monkeysphere::owner_trust { "jamie":
fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9"
}
A host can be configured as a host you would use to sign the gpg keys by placing:
include monkeysphere::signer
into the node definition. ON this host, a file will be placed in
/var/lib/puppet/modules/monkeysphere/hosts for each host configured as a
sshserver. Each file will contin the gpg id, the gpg fingerprint, and
the ssh fingerprint of the sshserver.
0. http://monkeysphere.info/
|
