openssh

Table of Contents

  1. Module Description
  2. Setup
  3. Usage
  4. Limitations
  5. Development

Module Description

Install and configure openssh client and server

This module installs and configures OpenSSH clients and servers as is frequently seen in HPC cluster. It authorize a root key on every node and permits to have stable and deterministic hosts keys accross nodes reinstall.

Setup

What openssh affects

The openssh::server class will authorize a specific key to connect as root, you must provide your own key to avoid using a default key that is published on the Internet.

The openssh::client will (by default) deactivate the StrictHostKeyChecking setting. This means that the client will automatically trust new hosts without a prompt.

Setup Requirements

The module uses the following modules:

The puppet_role fact should be defined.

Beginning with openssh

Generate keys for your local site:

Private keys should be encrypted with OpenSSL (see encryption in hpclib mdoule).

Make the keys available to the nodes (puppet, HTTP, local file...), and set the source values for the keys:

The key must be added as a resource ::openssh::client::identity to the administration nodes.

After applying the server class, if you already connected to the server, you might have to remove the entries in your ~/.ssh/known_hosts file.

Usage

Server

The server class installs:

Host keys are downloaded and decrypted with the hpclib decrypt() function.

Each key will be searched in the following order:

Note: the public key is not downloaded but regenerated on the host from the private key.

The module provides a default public root key this should never be used in production. You must override it with the root_public_key parameter.

Note this is the actual key without the ssh-rsa and user name, not a file path.

class{'::openssh::server':
  cluster             => 'cluster',
  root_public_key     => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDxPBL2D3+fW/GTjCpUI+kVAg6s1M8Z0lRRX35ecodrgz09X70tMFC2h9brXrY2557abUX3jy+0khEV81p24havY9Zi6+7rAqaB3ehCwIPTRT0vqCmHzWSOwK6WJbtur2xnXGvlwM/ngtE/RfUfbPU0Kvb6DG+kWedzi3stwyF4mRkOUahg2l0h+hKHHo46XJFI/bUfNP1ybFSAWYdkYP5Fy2pXK8JdUnYIp5wQIU6waeGUf/fEHPlyZC9fGWqygtSzOCXo3v7KQP9OLW9bupOuXi8zTt4fDKB9qQRjezt4sgnhG/yd/UwQupenIMh2m3DMAX2/e0+w6b1ORP8lzCpd',
  hostkeys_source_dir => 'http://files.hpc.example.com/private/hostkeys',
  decrypt_password    => 'passw0rd',
  config_augeas       => [
    'set ClientAliveInterval 300',
    'set AcceptEnv/1 LANG',
    'set AcceptEnv/2 LC_*',
    'set AcceptEnv/3 SLURM_*',
  ],
}

Client

The client class simply configures system wide default settings for SSH clients.

class{'::openssh::client': }

Client Identity

The ::openssh::client::identity resource configures a user private key file and configure it in a user config file.

::openssh::client::identity{'backup_server_key':
  key_enc        => 'http://files.hpc.example.com/private/keys/id_rsa_backup.enc',
  config_file    => '/root/.ssh/config',
  host           => 'backup.hpc.example.com',
  decrypt_passwd => 'passw0rd',
}

The private key key_enc is decrypted with hpclib::decrypt and put on the file system. The public key is generated with the same name suffixed .pub.

An entry is added to the config_file like this: Host <$host> IdentityFile <$key_file>

Multiple entries are authorized for the same host, the same key file can be re-used for other files and/or hosts.

If the ensure parameter is defined as absent, the files (private and public keys) are removed and the entry is removed from the config file

Limitations

This module is mainly tested on Debian, but is meant to also work with RHEL and derivatives.

Development

Patches and issues can be submitted on GitHub: https://github.com/edf-hpc/puppet-hpc