Manage ssh privat and public keys via ssh state

build/init.sls

@@ -65,7 +65,6 @@ build-git:
     - require:
       - pkg: build
       - user: build
-      - file: /home/build/.ssh/id_rsa
       - file: build-git
 
 firmware-git:
@@ -117,32 +116,3 @@ firmware.in.ffho.net:
     - fingerprint: {{salt['pillar.get']('nodes:firmware.in.ffho.net:ssh:fingerprint',[])}}
     - require:
       - user: build
-
-/home/build/.ssh:
-  file.directory:
-    - user: build
-    - group: build
-    - mode: 700
-    - require:
-      - user: build
-
-# Create authorized_keys for build
-/home/build/.ssh/authorized_keys:
-  file.managed:
-    - source: salt://ssh/authorized_keys.tmpl
-    - template: jinja
-      username: build
-    - user: build
-    - group: build
-    - mode: 644
-    - require:
-      - file: /home/build/.ssh
-
-/home/build/.ssh/id_rsa:
-  file.managed:
-    - contents_pillar: nodes:{{ grains['id'] }}:ssh:build:privkey
-    - user: build
-    - group: build
-    - mode: 400
-    - require:
-      - file: /home/build/.ssh

firmware/init.sls

@@ -31,7 +31,6 @@ firmware-git:
       - pkg: firmware-pkgs
       - user: firmware
       - file: firmware-git
-      - file: /home/firmware/.ssh/id_rsa
 
 firmware-changelog:
   cmd.run:
@@ -45,32 +44,6 @@ firmware-changelog:
       - user: firmware
       - file: /usr/local/sbin/update-firmware
 
-/home/firmware/.ssh:
-  file.directory:
-    - user: firmware
-    - group: firmware
-    - mode: 700
-    - require:
-      - user: firmware
-
-/home/firmware/.ssh/authorized_keys:
-  file.managed:
-    - contents_pillar: nodes:masterbuilder.in.ffho.net:ssh:build:pubkey
-    - user: firmware
-    - group: firmware
-    - mode: 644
-    - require:
-      - file: /home/firmware/.ssh
-
-/home/firmware/.ssh/id_rsa:
-  file.managed:
-    - contents_pillar: nodes:{{ grains['id'] }}:ssh:firmware:privkey
-    - user: firmware
-    - group: firmware
-    - mode: 400
-    - require:
-      - file: /home/firmware/.ssh
-
 firmware-cron:
   cron.present:
     - name: /usr/local/sbin/update-firmware

ssh/authorized_keys.tmpl

@@ -1,4 +1,15 @@
-{%- set ssh_config = salt['pillar.get']('ssh') -%}
+{%- set ssh_config = salt['pillar.get']('ssh') %}
+{%- for entry_name, entry in ssh_config.get('keys',{}).items() if entry.get('pillar', False) %}
+  {%- set entry_split = entry_name.split('@') %}
+  {%- if entry_split|length() == 2 %}
+    {%- set user = entry_split[0] %}
+    {%- set host = entry_split[1] %}
+  {%- else %}
+    {%- set user = 'root' %}
+    {%- set host = entry_split[0] %}
+  {%- endif %}
+  {%- do entry.update({ 'pubkeys': [salt['pillar.get']('nodes:' + host + ':ssh:' + user + ':pubkey')]}) %}
+{%- endfor %}
 {%- set node_config = salt['pillar.get']('nodes:' ~ grains['id']) -%}
 {%- set auth_keys = salt['ffho_auth.get_ssh_authkeys'](ssh_config, node_config, grains['id'], username) -%}
 {{ "\n".join (auth_keys) }}

ssh/init.sls

@@ -2,6 +2,8 @@
 # SSH configuration
 #
 
+{% set node_config = salt['pillar.get']('nodes:' ~ grains.id) %}
+
 # Install ssh server
 ssh:
   pkg.installed:
@@ -23,45 +25,67 @@ ssh:
     - watch_in:
       - service: ssh
 
+{% set users = ['root'] %}
+{% for user, user_config in node_config.get('ssh', {}).items() if user not in ['host'] and user not in users %}
+  {% do users.append(user) %}
+{% endfor %}
+
+{% for user in users %}
+  {% set path = '/' + user %}
+  {% if user not in ['root'] %}
+    {% set path = '/home' + path %}
+  {% endif %}
 
-# Create .ssh dir for user root
-/root/.ssh:
+{# Create user if not present#}
+ssh-{{ user }}:
+  user.present:
+    - name: {{ user }}
+    - shell: /bin/bash
+    - home: {{ path }}
+    - createhome: True
+    - gid_from_name: True
+    - system: False
+
+{# Create .ssh dir #}
+{{ path }}/.ssh:
   file.directory:
-    - user: root
-    - group: root
+    - user: {{ user }}
+    - group: {{ user }}
     - mode: 700
-    - makedirs: True
-
+    - require:
+      - user: ssh-{{ user }}
 
-# Create authorized_keys for root (MASTER + host specific)
-/root/.ssh/authorized_keys:
+{# Create authorized_keys for user (MASTER + host specific) #}
+{{ path }}/.ssh/authorized_keys:
   file.managed:
     - source: salt://ssh/authorized_keys.tmpl
     - template: jinja
-      username: root
-    - user: root
-    - group: root
+      username: {{ user }}
+    - user: {{ user }}
+    - group: {{ user }}
     - mode: 644
     - require:
-      - file: /root/.ssh
+      - file: {{ path }}/.ssh
 
-# Add SSH-Keys
-{% if 'root' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':ssh', []) %}
-/root/.ssh/id_rsa:
+  {% if user in node_config.get('ssh', {}) %}
+    {% set user_config = node_config.get('ssh:' + user, {}) %}
+{# Add SSH-Keys for user #}
+{{ path }}/.ssh/id_rsa:
   file.managed:
-    - contents_pillar: nodes:{{ grains['id'] }}:ssh:root:privkey
-    - user: root
-    - group: root
+    - contents_pillar: nodes:{{ grains.id }}:ssh:{{ user }}:privkey
+    - user: {{ user }}
+    - group: {{ user }}
     - mode: 600
     - require:
-      - file: /root/.ssh
+      - file: {{ path }}/.ssh
 
-/root/.ssh/id_rsa.pub:
+{{ path }}/.ssh/id_rsa.pub:
   file.managed:
-    - contents_pillar: nodes:{{ grains['id'] }}:ssh:root:pubkey
-    - user: root
-    - group: root
+    - contents_pillar: nodes:{{ grains.id }}:ssh:{{ user }}:pubkey
+    - user: {{ user }}
+    - group: {{ user }}
     - mode: 644
     - require:
-      - file: /root/.ssh
-{% endif %}
+      - file: {{ path }}/.ssh
+  {% endif %}
+{% endfor %}