Forge Home

pubkey

pdk
Generate ssh key pair and export public key
Project URLRSS FeedReport issues

2,605 downloads

59 latest version

Version information

  • 1.0.0 (latest)
  • 0.9.0
  • 0.8.3
  • 0.8.2 (deleted)
  • 0.8.1
  • 0.8.0
  • 0.7.0
  • 0.6.0
  • 0.5.0
  • 0.4.0
  • 0.3.0
  • 0.2.0
  • 0.1.0
released Aug 15th 2025
This version is compatible with:
  • Puppet Enterprise 2025.5.x, 2025.4.x, 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 9.0.0
  • CentOS
    ,
    OracleLinux
    ,
    RedHat
    ,
    Scientific
    ,
    Debian
    ,
    Ubuntu

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'deric-pubkey', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add deric-pubkey
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install deric-pubkey --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

deric/pubkey — version 1.0.0 Aug 15th 2025

puppet-pubkey

Puppet Forge Tests

Puppet module that allows generating ssh key pair and exchanging the public key via exported Puppet resource.

Usage

As simple as:

pubkey::ssh { 'bob_rsa': }

will generate /home/bob/.ssh/id_rsa key with default size and export the public key /home/bob/.ssh/id_rsa.pub.

Auto-detection expects name in format {username}_{type}.

Parameters

  • generate Whether missing key should be generated (default: true)
  • user account name under which we will store the ssh key
  • type ssh key type one of: dsa, rsa, ecdsa, ed25519, ecdsa-sk, ed25519-sk
  • home user's home directory, assuming .ssh is located in $HOME/.ssh
  • prefix custom key file prefix for the ssh key file (default: id)
  • comment ssh key's comment
  • size number of bits for generated ssh key
  • tags optional tags added to the exported key
  • export_key whether export the generated public key as ssh_authorized_key (default: true)
  • path standard unix path to look for ssh-keygen
  • hostname that will be part of exported resource (default: FQDN fact)
  • separator A character for user and key type auto-detection (default: _)

Ssh key type depends on ssh-keygen version, see ssh-keygen --help for list of supported types on your system.

Advanced configuration

Optionally provide override any parameter

pubkey::ssh { 'alice_key':
  user       => 'alice',
  type       => 'ed25519',
  home       => '/home/alice',
  comment    => 'alice_ed25519@foo.bar',
  hostname   => 'foo'
  export_key => false,
  tags       => ['tag_users', 'bar'],
}

The key will be exported as alice_key@foo (suffix is taken from the hostname parameter). In order to import the key on other machine use e.g.:

Ssh_authorized_key <<| tag == "tag_users" |>>

Customize target_user in order to store authorized key under different account than it was exported from.

pubkey::ssh { 'bob_ed25519':
  user        => 'bob', # auto-detected from title
  target_user => 'deploy', # user account under which authorized key will be stored
  tags        => ['users'],
}

All Puppet variables are documented in REFERENCE.md.

How does this work?

On the first run ssh-keygen is executed, if the desired ssh key pair doen't exist yet.

Puppet compiles code remotely, on a puppetserver. Which means that the local files are not available at the compile time. Local files (like public ssh keys) can be accessed from Facter code that is evaluated before applying the Puppet catalog. However Facter doesn't accept any arguments, so we don't know which keys to load before evaluating the Puppet code. An intermediate cache file /var/cache/pubkey/exported_keys is used to store location of exported keys. During next run the keys are fetched and exported under pubkey fact.

Exported ssh keys are stored as hierarchical fact. See facter --puppet -y pubkey

pubkey:
  bob_ed25519:
    comment: "bob_ed25519"
    key: "AAAAC3NzaC1lZDI1NTE5AAAAIHBqbh2bZtW2jyX5BnsbAahP3KwGSVKVisggLDqJKnkQ"
    type: ssh-ed25519

From Puppet code the key is available via $fact['pubkey']['bob_ed25519']['key'].

Limitations

Two consecutives Puppet runs are required to export the key. During the first run ssh key will be generated, during the second one it will be fetched from disk, exported and available as a fact.

Dependencies

ssh-keygen needs to be installed on the system.

Module dependencies:

Acceptance test

Run with specific set:

BEAKER_destroy=no BEAKER_setfile=debian10-64 bundle exec rake beaker