0

I have a user that needs to authenticate against a company source repository when using git clone. To set this up for the user I need to specify a users private key (not the host private key in /etc). Is there a method to do this?

The user it configured with system_info in cloud-init, which doesn't have a mechanism to install the user's private key.

Note: Let's say you're provisioning a a new machine and adding a user bob on it. How do you install a private key for a bob such that he can authenticate with something using ssh?

Evan Carroll
  • 2,921
  • 6
  • 37
  • 85

2 Answers2

0

Update

Oops, Don't do this. It was pointed out to me that this was wholly insecure as curl http://169.254.169.254/latest/user-data will show you any unprivileged user the private keys. The data gets saved as /run/cloud-init/instance-data.json

Original post

There is no module to make this easier, and there is no argument under system_info (how you add and configure the user) to ease the ability to configure the user's SSH keys. The way I went about this was adding something like this in my main.tf to populate the variable ssh_keys_user

ssh_keys_user = {
  write_files = [
    {
      path        = "/home/ecarroll/.ssh/id_rsa"
      content     = file("./ssh/user/cp-terraform-user-id_rsa")
      owner       = "ecarroll:ecarroll"
      permissions = "0600"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_rsa.pub"
      content     = file("./ssh/user/cp-terraform-user-id_rsa.pub")
      owner       = "ecarroll:ecarroll"
      permissions = "0644"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ecdsa"
      content     = file("./ssh/user/cp-terraform-user-id_ecdsa")
      owner       = "ecarroll:ecarroll"
      permissions = "0600"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ecdsa.pub"
      content     = file("./ssh/user/cp-terraform-user-id_ecdsa.pub")
      owner       = "ecarroll:ecarroll"
      permissions = "0644"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ed25519"
      content     = file("./ssh/user/cp-terraform-user-id_ed25519")
      owner       = "ecarroll:ecarroll"
      permissions = "0600"
      defer       = true
    },
    {
      path        = "/home/ecarroll/.ssh/id_ed25519.pub"
      content     = file("./ssh/user/cp-terraform-user-id_ed25519.pub")
      owner       = "ecarroll:ecarroll"
      permissions = "0644"
      defer       = true
    }
  ]
}

Then what I did was wired it into my cloud-init like this,

write_files:
${ yamlencode( ssh_keys_user.write_files ) }

I generated these files with a Makefile like this,

user/cp-terraform-user-id_ecdsa:
        -mkdir user 2> /dev/null;
        ssh-keygen -C "User key for SSH authentication to repos" -N "" -b 521 -t ecdsa -f "$@";
        touch "$@";

user/cp-terraform-user-id_ed25519:
        -mkdir user 2> /dev/null;
        ssh-keygen -C "User key for SSH authentication to repos" -N "" -t ed25519 -f "$@";
        touch "$@";


user/cp-terraform-user-id_rsa:
        -mkdir user 2> /dev/null;
        ssh-keygen -C "User key for SSH authentication to repos" -N "" -b 4096 -t rsa -f "$@";
        touch "$@";

This works fine. Then I just added the .pub files to BitBucket and GitLab.

Evan Carroll
  • 2,921
  • 6
  • 37
  • 85
0

If you don't mind the keys being generated on boot, you could potentially use the phone-home module to send the newly generated pubkeys wherever you need them to go:

The current example for this module might be a good starting point.

    url: http://example.com/$INSTANCE_ID/
    post:
        - pub_key_dsa
        - pub_key_rsa
        - pub_key_ecdsa
        - pub_key_ed25519
        - instance_id
        - hostname
        - fqdn
    tries: 5

I haven't done this before, but if "keys generated on boot" fits your requirements, something like this should work.