Passphrase-less ssh keys on a puppet master?

Question

Our puppet code lives on github, so we pull to the puppet master.

But our github repository is private. Is standard (best) practice to give the puppet master ssh keys to github without passphrase (what github calls a deploy key)? Can/should I do better?

No, not using r10k. That seemed like overkill for < 10 hosts. — jma, Feb 15 '16 at 14:59

score 1 · Accepted Answer · answered Feb 22 '16 at 12:48

1

Through conversations with colleagues, it appears that the answer is two things:

Github deployment keys are usually the way to go. In addition, they can be made to provide read-only access if desired. They also limit access to a single repository.
Yes, the private key has to go on my host, since github necessarily has the public key. At some level, we have to trust security on our own hosts (although the trust should be calculated, controlled, continuously reviewed, and limited in case of intrusion).

answered Feb 22 '16 at 12:48

jma

425
6
16

I wonder if you ever uncovered a better solution than this. – Jean-Paul Calderone Jan 24 '18 at 01:03
@Jean-PaulCalderone This is still how we do it. I haven't learned of better. – jma Jan 24 '18 at 20:36

Passphrase-less ssh keys on a puppet master?

1 Answers1