Purging ssh_authorized_keys with Puppet Edit

Published on Aug 24, 2014 by blkperl.

Purging SSH authorized keys used to be the number one top-voted ticket in the Puppet issue tracker. A community member Felix Frank has solved the issue by adding a purge_ssh_keys parameter to the User resource. The change was merged into the master branch in March 2014 and was released in Puppet 3.6.0 and with some additional bug fixes in Puppet 3.6.2.

Let’s take at the look at the code to enable this feature. Here we have a user resource for the root user. All we need to do is set the purge_ssh_keys attribute to true and Puppet will begin removing unmanaged keys.

    user { 'root':
     ensure         => present,
     home           => '/root',
     uid            => '0',
     purge_ssh_keys => true,
    }

Before you enable this you will want to make sure that you have all your root ssh_authorized_key resources defined in your Puppet manifests. In our example, we have one ssh_authorized_key resource for our public root bastion key. In following best practices the key data is populated from a Hiera lookup.

    ssh_authorized_key { 'root@bastion':
      ensure => 'present',
      user   => 'root',
      type   => 'ssh-rsa',
      key    => hiera('bastion_pub_key')
    }

Now when we run Puppet on our clients we can see unmanaged keys getting removed.

(/Stage[main]/site::Sysadmin/Ssh_authorized_key[root@old_bastion1]/ensure) removed
(/Stage[main]/site::Sysadmin/Ssh_authorized_key[root@old_bastion2]/ensure) removed

You should check /root/.ssh/authorized_keys afterwards to make sure the correct keys are in the file. If it looks good you can push the change out to all of your machines.

If you’re not yet using Puppet 3.6.2 or higher you can use the ssh_keys Puppet module written by nightfly which works around the issue by implementing a new resource with the concat module for a backend.

Now you are all set to go deploy this in your infrastructure.

Happy puppeting!