Is there a way to install a private key for a user with cloud-init?



  • I have a user that needs to authenticate against a company source repository when using git clone. To set this up for the user I need to specify a users private key (not the host private key in /etc). Is there a method to do this?

    The user it configured with https://cloudinit.readthedocs.io/en/latest/topics/examples.html?highlight=system_info#including-users-and-groups , which doesn't have a mechanism to install the user's private key.

    Note: Let's say you're provisioning a a new machine and adding a user bob on it. How do you install a private key for a bob such that he can authenticate with something using ssh?



  • Update

    Oops, Don't do this. It was pointed out to me that this was wholly insecure as curl http://169.254.169.254/latest/user-data will show you any unprivileged user the private keys. The data gets saved as /run/cloud-init/instance-data.json

    Original post

    There is no module to make this easier, and there is no argument under system_info (how you add and configure the user) to ease the ability to configure the user's SSH keys. The way I went about this was adding something like this in my main.tf to populate the variable ssh_keys_user

    ssh_keys_user = {
      write_files = [
        {
          path        = "/home/ecarroll/.ssh/id_rsa"
          content     = file("./ssh/user/cp-terraform-user-id_rsa")
          owner       = "ecarroll:ecarroll"
          permissions = "0600"
          defer       = true
        },
        {
          path        = "/home/ecarroll/.ssh/id_rsa.pub"
          content     = file("./ssh/user/cp-terraform-user-id_rsa.pub")
          owner       = "ecarroll:ecarroll"
          permissions = "0644"
          defer       = true
        },
        {
          path        = "/home/ecarroll/.ssh/id_ecdsa"
          content     = file("./ssh/user/cp-terraform-user-id_ecdsa")
          owner       = "ecarroll:ecarroll"
          permissions = "0600"
          defer       = true
        },
        {
          path        = "/home/ecarroll/.ssh/id_ecdsa.pub"
          content     = file("./ssh/user/cp-terraform-user-id_ecdsa.pub")
          owner       = "ecarroll:ecarroll"
          permissions = "0644"
          defer       = true
        },
        {
          path        = "/home/ecarroll/.ssh/id_ed25519"
          content     = file("./ssh/user/cp-terraform-user-id_ed25519")
          owner       = "ecarroll:ecarroll"
          permissions = "0600"
          defer       = true
        },
        {
          path        = "/home/ecarroll/.ssh/id_ed25519.pub"
          content     = file("./ssh/user/cp-terraform-user-id_ed25519.pub")
          owner       = "ecarroll:ecarroll"
          permissions = "0644"
          defer       = true
        }
      ]
    }
    

    Then what I did was wired it into my cloud-init like this,

    write_files:
    ${ yamlencode( ssh_keys_user.write_files ) }
    

    I generated these files with a Makefile like this,

    user/cp-terraform-user-id_ecdsa:
            -mkdir user 2> /dev/null;
            ssh-keygen -C "User key for SSH authentication to repos" -N "" -b 521 -t ecdsa -f "$@";
            touch "$@";
    

    user/cp-terraform-user-id_ed25519:
    -mkdir user 2> /dev/null;
    ssh-keygen -C "User key for SSH authentication to repos" -N "" -t ed25519 -f "$@";
    touch "$@";

    user/cp-terraform-user-id_rsa:
    -mkdir user 2> /dev/null;
    ssh-keygen -C "User key for SSH authentication to repos" -N "" -b 4096 -t rsa -f "$@";
    touch "$@";

    This works fine. Then I just added the .pub files to BitBucket and GitLab.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2