salt-ssh provides a way to run salt remotely without it being installed on the destination system. ​ This means, for example, that I can use it to manage my user’s dotfiles on the BlueBEAR HPC cluster.

Roster file

salt-ssh uses a roster-file to map host identifiers to the host it should connect to. By default this file is /​etc/​salt/​roster and I have chosen to manage it with salt on the host I will be running salt from.

Connecting for the first time

When connecting to a ssh server for the first time, run salt-ssh with -i to auto accept the remote key.

Deploy the salt-ssh key for login

You can use ssh-copy-id, (the OpenSSH key deployment tool) to deploy keys to your servers:

ssh-copy-id -i /etc/salt/pki/master/ssh/salt-ssh.rsa.pub user@server.demo.com

or, just copy the key from /etc/salt/pki/master/ssh/salt-ssh.rsa.pub to ~/.ssh/authorized_keys manually.