salt.states.ssh_auth

Control of entries in SSH authorized_key files

The information stored in a user's SSH authorized key file can be easily controlled via the ssh_auth state. Defaults can be set by the enc, options, and comment keys. These defaults can be overridden by including them in the name.

Since the YAML specification limits the length of simple keys to 1024 characters, and since SSH keys are often longer than that, you may have to use a YAML 'explicit key', as demonstrated in the second example below.

AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY==:
  ssh_auth.present:
    - user: root
    - enc: ssh-dss

? AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY==...
:
  ssh_auth.present:
    - user: root
    - enc: ssh-dss

thatch:
  ssh_auth.present:
    - user: root
    - source: salt://ssh_keys/thatch.id_rsa.pub
    - config: '%h/.ssh/authorized_keys'

sshkeys:
  ssh_auth.present:
    - user: root
    - enc: ssh-rsa
    - options:
      - option1="value1"
      - option2="value2 flag2"
    - comment: myuser
    - names:
      - AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY==
      - ssh-dss AAAAB3NzaCL0sQ9fJ5bYTEyY== user@domain
      - option3="value3" ssh-dss AAAAB3NzaC1kcQ9J5bYTEyY== other@testdomain
      - AAAAB3NzaC1kcQ9fJFF435bYTEyY== newcomment

sshkeys:
  ssh_auth.manage:
    - user: root
    - enc: ssh-rsa
    - options:
      - option1="value1"
      - option2="value2 flag2"
    - comment: myuser
    - ssh_keys:
      - AAAAB3NzaC1kc3MAAACBAL0sQ9fJ5bYTEyY==
      - ssh-dss AAAAB3NzaCL0sQ9fJ5bYTEyY== user@domain
      - option3="value3" ssh-dss AAAAB3NzaC1kcQ9J5bYTEyY== other@testdomain
      - AAAAB3NzaC1kcQ9fJFF435bYTEyY== newcomment
salt.states.ssh_auth.absent(name, user, enc='ssh-rsa', comment='', source='', options=None, config='.ssh/authorized_keys', fingerprint_hash_type=None)

Verifies that the specified SSH key is absent

name

The SSH key to manage

user

The user who owns the SSH authorized keys file to modify

enc

Defines what type of key is being used, can be ed25519, ecdsa, ssh-rsa, ssh-dss or any other type as of openssh server version 8.7.

comment

The comment to be placed with the SSH public key

options

The options passed to the key, pass a list object

source

The source file for the key(s). Can contain any number of public keys, in standard "authorized_keys" format. If this is set, comment, enc and options will be ignored.

New in version 2015.8.0.

config

The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/authorized_keys". Token expansion %u and %h for username and home path supported.

fingerprint_hash_type

The public key fingerprint hash type that the public key fingerprint was originally hashed with. This defaults to sha256 if not specified.

New in version 2016.11.7.

salt.states.ssh_auth.manage(name, ssh_keys, user, enc='ssh-rsa', comment='', source='', options=None, config='.ssh/authorized_keys', fingerprint_hash_type=None, **kwargs)

New in version 3000.

Ensures that only the specified ssh_keys are present for the specified user

ssh_keys

The SSH key to manage

user

The user who owns the SSH authorized keys file to modify

enc

Defines what type of key is being used, can be ed25519, ecdsa, ssh-rsa, ssh-dss or any other type as of openssh server version 8.7.

comment

The comment to be placed with the SSH public key

source

The source file for the key(s). Can contain any number of public keys, in standard "authorized_keys" format. If this is set, comment and enc will be ignored.

Note

The source file must contain keys in the format <enc> <key> <comment>. If you have generated a keypair using PuTTYgen, then you will need to do the following to retrieve an OpenSSH-compatible public key.

  1. In PuTTYgen, click Load, and select the private key file (not the public key), and click Open.

  2. Copy the public key from the box labeled Public key for pasting into OpenSSH authorized_keys file.

  3. Paste it into a new file.

options

The options passed to the keys, pass a list object

config

The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/authorized_keys". Token expansion %u and %h for username and home path supported.

fingerprint_hash_type

The public key fingerprint hash type that the public key fingerprint was originally hashed with. This defaults to sha256 if not specified.

salt.states.ssh_auth.present(name, user, enc='ssh-rsa', comment='', source='', options=None, config='.ssh/authorized_keys', fingerprint_hash_type=None, **kwargs)

Verifies that the specified SSH key is present for the specified user

name

The SSH key to manage

user

The user who owns the SSH authorized keys file to modify

enc

Defines what type of key is being used, can be ed25519, ecdsa, ssh-rsa, ssh-dss or any other type as of openssh server version 8.7.

comment

The comment to be placed with the SSH public key

source

The source file for the key(s). Can contain any number of public keys, in standard "authorized_keys" format. If this is set, comment and enc will be ignored.

Note

The source file must contain keys in the format <enc> <key> <comment>. If you have generated a keypair using PuTTYgen, then you will need to do the following to retrieve an OpenSSH-compatible public key.

  1. In PuTTYgen, click Load, and select the private key file (not the public key), and click Open.

  2. Copy the public key from the box labeled Public key for pasting into OpenSSH authorized_keys file.

  3. Paste it into a new file.

options

The options passed to the key, pass a list object

config

The location of the authorized keys file relative to the user's home directory, defaults to ".ssh/authorized_keys". Token expansion %u and %h for username and home path supported.

fingerprint_hash_type

The public key fingerprint hash type that the public key fingerprint was originally hashed with. This defaults to sha256 if not specified.