Forge Home


Generate user SSH keys on nodes and make public keys available as facts.


7,042 latest version

3.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.0 (latest)
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.0
released Oct 24th 2016
This version is compatible with:
  • Puppet Enterprise 3.x
  • Puppet >=3.0.0 <5.0.0
  • , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'wcooley-user_ssh_pubkey', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add wcooley-user_ssh_pubkey
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install wcooley-user_ssh_pubkey --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



wcooley/user_ssh_pubkey — version 1.0.0 Oct 24th 2016

Puppet module: user_ssh_pubkey


Generate user SSH keys on nodes and make public keys available as facts. These facts can then be collected as exported resources to populate ssh_authorized_key resources.

Note that, with this workflow, the agent will have to run twice before the keys are available -- facts are collected before resources are created, so the first time through the keypair will be generated and the second time the public key will be available as a fact.

Note, that, also populating the user_ssh_pubkey external fact is (currently) unimplemented.


Facts with the following formats are created, which correspond with the parameters for the ssh_authorized_key type:

  • <username>_ssh(rsa|dsa|ecdsa|ed25519)key
  • <username>_ssh(rsa|dsa|ecdsa|ed25519)key_comment
  • <username>_ssh(rsa|dsa|ecdsa|ed25519)key_type

The list of users whose public keys are to be collected as facts is configured by the user_ssh_pubkey fact, which can be set using external facts. For example:

$ cat /etc/facter/facts.d/user_ssh_pubkey.yaml
user_ssh_pubkey: jensenb,alice,bob


Type user_ssh_pubkey can be used to generate DSA or RSA keys on nodes. Parameters are consistent with parameters for ssh_authorized_key where possible.

Currently this is implemented as a Puppet defined type, which results in an exec type which runs ssh-keygen.

Keys are generated with null passphrases.


  • name The SSH key comment. Ideally this would be something like "$user/ssh-$type@$::fqdn"; if so, the user and type parameters can be left unspecified.

  • user namevar The user in whose home directory to create the key.

  • target The absolute filename base to store the private and public keys in. This parameter should generally be avoided, as it breaks the facts.

  • type The key type: "dsa", "rsa", "ecdsa", "ed25519". Note that semantics of this parameter are different from the *_type fact and "type" parameter for ssh_authorized_key.

  • user The user account in which the SSH key should be generated.

  • bits The number of bits in the key. See ssh-keygen(1) for limits.


For the source or client node, generate an SSH key, collect the fact and create an exported ssh_authorized_key resource:

user_ssh_pubkey { "repocloner/ssh-rsa@${::fqdn}": }

file { '/etc/facter/facts.d/user_ssh_pubkey.txt':
  ensure  => present,
  content => "user_ssh_pubkey=repocloner\n",
  owner   => 'root',
  group   => 'root',
  mode    => '0644',

if $::repocloner_sshrsakey {
  @@ssh_authorized_key { $::repocloner_sshrsakey_comment:
    ensure => present,
    key    => $::repocloner_sshrsakey,
    user   => 'repocloner',
    type   => $::repocloner_sshrsakey_type,
    tag    => [ 'repocloner-ssh-key' ],

If the client node's name is used in the name (comment) of the user_ssh_pubkey, then exported resources from multiple client nodes can be generated.

For the target or server node, collect the exported resource:

Ssh_authorized_key <<| tag == 'repocloner-ssh-key' |>>

One could also use user parameter instead of a tag for selecting the exported resources instead of a tag.


Apache 2.0


Wil Cooley <wcooley(at)>


Please log tickets and issues at our Github issues.