Forge Home


ssh key generaton and distribution with puppet


5,877 latest version

3.2 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.1.1 (latest)
  • 1.1.0
  • 1.0.1
  • 1.0.0
  • 0.3.2
  • 0.3.1
  • 0.3.0
  • 0.2.0
  • 0.1.1
  • 0.1.0
released Oct 25th 2018
This version is compatible with:
  • , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'geoffwilliams-sshkeys', '1.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add geoffwilliams-sshkeys
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install geoffwilliams-sshkeys --version 1.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



geoffwilliams/sshkeys — version 1.1.1 Oct 25th 2018


Build Status

Table of Contents

  1. Description
  2. Features
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


Provides several methods for generation, distribution and authorization of SSH keys


Per-user management of:

  • ~/.ssh
  • ~/.ssh/id_rsa
  • ~/.ssh/
  • ~/.ssh/known_hosts
  • ~/.ssh/authorized_keys
  • ~/.ssh/some_other_key (sshkeys::install_keypair only)
  • ~/.ssh/ (sshkeys::install_keypair only)


There are two methods of operation (consult REFERENCE for detailed instructions):

Manual management

Create files with known data sourced from Puppet (Hiera, files from modules, etc):

  • sshkeys::manual

Suggested uses:

  • Distributing known keys for sysadmins
  • Enabling logins from applications using a known key


Generate files as needed (will be stored on the Puppet Master in /etc/puppetlabs/puppetserver/sshkeys):

  • sshkeys::authorize
  • sshkeys::install_keypair
  • sshkeys::known_host

Suggested uses:

  • SSH being used as a transport mechanism where the value of the key itself is immaterial and limited in scope, with all parties under puppet control. A good example of this would be rsync between puppet nodes and this is what the module was originally written for.


Since SSH keys are stored on the master when using generation methods, this weakens security somewhat vs how PKIs are intended to work. This can be mitigated by applying the principle of least privilege to accounts that use keys in this way. Also if your Puppet Master is compromised, its game over anyway. Be sure your comfortable with this before using.

Note SSH Keys are read from and generated on the Puppet Master using the sshkeys::sshkey function that ships with this module. When running Puppet in apply mode, the user running the function will normally be root however in agent mode the user would be pe-puppet or equivalent. This prevents us creating files in /etc as pe-puppet has no ability to write there. Instead, we create our own directory at /etc/puppetlabs/puppetserver/sshkeys. Since /etc/puppetlabs/puppetserver is writable by pe-puppet, we are able to write files to this location.

Setup Requirements

  • Requires all SSH packages are already installed


  • Tested on Debian and Ubuntu
  • If generation is used, SSH keys will be stored on the master
  • Only one copy of a given key can be installed per-node when using sshkeys::install_keypair


PRs accepted :)


This module supports testing using PDQTest.

Test can be executed with:

bundle install

See .travis.yml for a working CI example