ssh key generaton and distribution with puppet

Geoff Williams



3,865 latest version

3.2 quality score

Version information

  • 1.1.1 (latest)
  • 1.1.0
  • 1.0.1
  • 1.0.0
  • 0.3.2
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.1
  • 0.1.0
released Oct 25th 2018
This version is compatible with:
  • RedHat

Start using this module


geoffwilliams/sshkeys — version 1.1.1 Oct 25th 2018


Build Status

Table of Contents

  1. Description
  2. Features
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


Provides several methods for generation, distribution and authorization of SSH keys


Per-user management of:

  • ~/.ssh
  • ~/.ssh/id_rsa
  • ~/.ssh/
  • ~/.ssh/known_hosts
  • ~/.ssh/authorized_keys
  • ~/.ssh/some_other_key (sshkeys::install_keypair only)
  • ~/.ssh/ (sshkeys::install_keypair only)


There are two methods of operation (consult REFERENCE for detailed instructions):

Manual management

Create files with known data sourced from Puppet (Hiera, files from modules, etc):

  • sshkeys::manual

Suggested uses:

  • Distributing known keys for sysadmins
  • Enabling logins from applications using a known key


Generate files as needed (will be stored on the Puppet Master in /etc/puppetlabs/puppetserver/sshkeys):

  • sshkeys::authorize
  • sshkeys::install_keypair
  • sshkeys::known_host

Suggested uses:

  • SSH being used as a transport mechanism where the value of the key itself is immaterial and limited in scope, with all parties under puppet control. A good example of this would be rsync between puppet nodes and this is what the module was originally written for.


Since SSH keys are stored on the master when using generation methods, this weakens security somewhat vs how PKIs are intended to work. This can be mitigated by applying the principle of least privilege to accounts that use keys in this way. Also if your Puppet Master is compromised, its game over anyway. Be sure your comfortable with this before using.

Note SSH Keys are read from and generated on the Puppet Master using the sshkeys::sshkey function that ships with this module. When running Puppet in apply mode, the user running the function will normally be root however in agent mode the user would be pe-puppet or equivalent. This prevents us creating files in /etc as pe-puppet has no ability to write there. Instead, we create our own directory at /etc/puppetlabs/puppetserver/sshkeys. Since /etc/puppetlabs/puppetserver is writable by pe-puppet, we are able to write files to this location.

Setup Requirements

  • Requires all SSH packages are already installed


  • Tested on Debian and Ubuntu
  • If generation is used, SSH keys will be stored on the master
  • Only one copy of a given key can be installed per-node when using sshkeys::install_keypair


PRs accepted :)


This module supports testing using PDQTest.

Test can be executed with:

bundle install

See .travis.yml for a working CI example