SSH Authorized Keys Cookbook

Documentation GitHub License

Cookbook Version Dependency Status Code Climate Build Status Coverage Status Inline docs

Chef cookbook to create SSH authorized keys files in user home directories.

Tries to avoid generating a corrupt file that could render your server inaccessible.


Supported Platforms

This cookbook has been tested on the following platforms:

  • AIX
  • Amazon Linux
  • Debian
  • CentOS
  • Fedora
  • FreeBSD
  • openSUSE
  • RedHat
  • SUSE
  • Ubuntu

Please, let us know if you use it successfully on any other platform.

Required Applications

  • Chef 12 or higher.
  • Ruby 2.3 or higher.



Authorize a key for public key authentication using SSH.

Warning: This definition uses the Accumulator Pattern. This implies that any SSH key added using other methods (such as keys added by hand) will be deleted.

ssh_authorize_key Properties

Property Default Description
user nil System user (required).
group user System group.
home calculated System user home path.
key nil SSH public key in base64 (required).
keytype 'ssh-rsa' SSH key type.
comment definition name SSH key comment.
options nil SSH key options as a hash.
validate_key true Enable/Disable assert_key

Usage Examples

First of all, don’t forget to include the ssh_authorized_keys cookbook as a dependency in the cookbook metadata:

```ruby # metadata.rb # […]

depends ‘ssh_authorized_keys’ ```

You can use the ssh_authorize_key to authorize SSH public keys to use SSH public key authentication:

```ruby # Bob is the admin here.

ssh_authorize_key ‘[email protected]’ do key ‘AAAAB3NzaC1yc2EAAAADAQABAAABAQCctNyRouVDhzjiP[…]’ user ‘root’ end

ssh_authorize_key ‘[email protected]’ do key ‘AAAAB3NzaC1yc2EAAAADAQABAAABAQCySLKbpFRGCrKU/[…]’ user ‘alice’ end ```

Setting the SSH Key Options Field

You can set the options field as follows:

ruby # As the root user by default in ubuntu: ssh_authorize_key '[email protected]' do key 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCctNyRouVDhzjiP[...]' user 'root' options( 'no-port-forwarding' => true, 'no-agent-forwarding' => true, 'no-X11-forwarding' => true, command: 'echo \'Please login as the user "bob" rather than the user "root".\''\ ';echo;sleep 10' ) end

Reading the Keys from a Data Bag

For example, from the following data bag item:

json { "id": "users", "[email protected]": { "key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCctNyRouVDhzjiP[...]", "user": "root" }, "[email protected]": { "key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCySLKbpFRGCrKU/[...]", "user": "alice" } }

You can read the data bag item from a recipe as follows:

```ruby users = data_bag_item(‘ssh’, ‘users’) users.delete(‘id’)

users.each do |name, ssh_key| ssh_authorize_key name do key ssh_key[‘key’] user ssh_key[‘user’] end end ```

See the data bags DSL documentation for a more detailed explanation and the data bags knife documentation to learn how to create a data bag.


These attributes are primarily intended to support the different platforms. Do not touch them unless you know what you are doing.

Attribute Default Description
node['ssh_authorized_keys']['keytypes'] calculated Allowed SSH key types.



ChefSpec Tests

To create ChefSpec tests for the ssh_authorize_key definition, you can use the render_file matcher to check the authorized_keys file content:

ruby it 'allows bob to login as root' do expect(chef_run).to render_file('/root/.ssh/authorized_keys') .with_content(/^ssh-rsa [A-Za-z0-9+\/=]+ [email protected]\.com$/) end

You can also test against the internal template:

ruby it 'creates ~bob/.ssh/authorized_keys file' do expect(chef_run).to create_template('/home/bob/.ssh/authorized_keys') end


Please do not hesitate to open an issue with any questions or problems.




License and Author

Author: Raul Rodriguez ([email protected])
Author: Xabier de Zuazo ([email protected])
Contributor: Ong Ming Yang
Contributor: MVNW
Contributor: Anthony Caiafa
Copyright: Copyright (c) 2015-2016, Xabier de Zuazo
Copyright: Copyright (c) 2015, Onddo Labs, SL.
License: Apache License, Version 2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.