salt.modules.ssh¶

Manage client ssh components

Note

This module requires the use of MD5 hashing. Certain security audits may not permit the use of MD5. For those cases, this module should be disabled or removed.

salt.modules.ssh.auth_keys(user=None, config='.ssh/authorized_keys')¶

Return the authorized keys for users

CLI Example:

salt '*' ssh.auth_keys
salt '*' ssh.auth_keys root
salt '*' ssh.auth_keys user=root
salt '*' ssh.auth_keys user="[user1, user2]"

salt.modules.ssh.check_key(user, key, enc, comment, options, config='.ssh/authorized_keys', cache_keys=None)¶

Check to see if a key needs updating, returns "update", "add" or "exists"

CLI Example:

salt '*' ssh.check_key <user> <key> <enc> <comment> <options>

salt.modules.ssh.check_key_file(user, source, config='.ssh/authorized_keys', saltenv='base', env=None)¶

Check a keyfile from a source destination against the local keys and return the keys to change

CLI Example:

salt '*' ssh.check_key_file root salt://ssh/keyfile

salt.modules.ssh.check_known_host(user=None, hostname=None, key=None, fingerprint=None, config=None)¶

Check the record in known_hosts file, either by its value or by fingerprint (it's enough to set up either key or fingerprint, you don't need to set up both).

If provided key or fingerprint doesn't match with stored value, return "update", if no value is found for a given host, return "add", otherwise return "exists".

If neither key, nor fingerprint is defined, then additional validation is not performed.

CLI Example:

salt '*' ssh.check_known_host <user> <hostname> key='AAAA...FAaQ=='

salt.modules.ssh.get_known_host(user, hostname, config=None)¶

Return information about known host from the configfile, if any. If there is no such key, return None.

CLI Example:

salt '*' ssh.get_known_host <user> <hostname>

salt.modules.ssh.hash_known_hosts(user=None, config=None)¶

Hash all the hostnames in the known hosts file.

New in version 2014.7.0.

CLI Example:

salt '*' ssh.hash_known_hosts

salt.modules.ssh.host_keys(keydir=None, private=True)¶

Return the minion's host keys

CLI Example:

salt '*' ssh.host_keys
salt '*' ssh.host_keys keydir=/etc/ssh
salt '*' ssh.host_keys keydir=/etc/ssh private=False

salt.modules.ssh.recv_known_host(hostname, enc=None, port=None, hash_hostname=False)¶

Retrieve information about host public key from remote server

CLI Example:

salt '*' ssh.recv_known_host <hostname> enc=<enc> port=<port>

salt.modules.ssh.rm_auth_key(user, key, config='.ssh/authorized_keys')¶

Remove an authorized key from the specified user's authorized key file

CLI Example:

salt '*' ssh.rm_auth_key <user> <key>

salt.modules.ssh.rm_auth_key_from_file(user, source, config='.ssh/authorized_keys', saltenv='base', env=None)¶

Remove an authorized key from the specified user's authorized key file, using a file as source

CLI Example:

salt '*' ssh.rm_auth_key_from_file <user> salt://ssh_keys/<user>.id_rsa.pub

salt.modules.ssh.rm_known_host(user=None, hostname=None, config=None)¶

Remove all keys belonging to hostname from a known_hosts file.

CLI Example:

salt '*' ssh.rm_known_host <user> <hostname>

salt.modules.ssh.set_auth_key(user, key, enc='ssh-rsa', comment='', options=None, config='.ssh/authorized_keys', cache_keys=None)¶

Add a key to the authorized_keys file. The "key" parameter must only be the string of text that is the encoded key. If the key begins with "ssh-rsa" or ends with user@host, remove those from the key before passing it to this function.

CLI Example:

salt '*' ssh.set_auth_key <user> '<key>' enc='dsa'

salt.modules.ssh.set_auth_key_from_file(user, source, config='.ssh/authorized_keys', saltenv='base', env=None)¶

Add a key to the authorized_keys file, using a file as the source.

CLI Example:

salt '*' ssh.set_auth_key_from_file <user> salt://ssh_keys/<user>.id_rsa.pub

salt.modules.ssh.set_known_host(user=None, hostname=None, fingerprint=None, key=None, port=None, enc=None, hash_hostname=True, config=None)¶

Download SSH public key from remote host "hostname", optionally validate its fingerprint against "fingerprint" variable and save the record in the known_hosts file.

If such a record does already exists in there, do nothing.

CLI Example:

salt '*' ssh.set_known_host <user> fingerprint='xx:xx:..:xx' enc='ssh-rsa' config='.ssh/known_hosts'

salt.modules.ssh.user_keys(user=None, pubfile=None, prvfile=None)¶

Return the user's ssh keys on the minion

New in version 2014.7.0.

CLI Example:

salt '*' ssh.user_keys
salt '*' ssh.user_keys user=user1
salt '*' ssh.user_keys user=user1 pubfile=/home/user1/.ssh/id_rsa.pub prvfile=/home/user1/.ssh/id_rsa
salt '*' ssh.user_keys user=user1 prvfile=False
salt '*' ssh.user_keys user="['user1','user2'] pubfile=id_rsa.pub prvfile=id_rsa

As you can see you can tell Salt not to read from the user's private (or public) key file by setting the file path to False. This can be useful to prevent Salt from publishing private data via Salt Mine or others.