Salt-ssh via sshconfig roster
Oct 24, 2017
3 minute read


salt-ssh allows the use of salt modules and states without the need to run a master or masterless configuration on a server. It’s also a nice tool when you have to connect and thing commands across multiple instances.

Recently a friend of mine got his PR #42103 merged upstream into salt. This enables the sshconfig roster for salt-ssh so users can leverage an existing ssh config for targeting salt minions without needing a roster file. Unfortunately it hasn’t landed in an official release of salt-ssh but below I’ll cover how to install salt-ssh from the git develop branch on a FreeBSD 11.1 machine. Similar steps will work for a linux install. All that should be required is the substituting of the pkgng calls to align with the Linux distros package manager.


Install the required pkgng packages to get python and virtualenv:

su -  # We need to be root here
pkg install python27 py27-virtualenv git
exit  # Go back to normal user

Create a virtualenv with python2.7 interpreter and install the pip dependencies:

mkdir ~/.virtualenvs
virtualenv -p python2.7 ~/.virtualenvs/salt-ssh
. ~/.virtualenvs/salt-ssh/bin/activate
pip install jinja2 markupsafe msgpack-python pyyaml tornado

Note: Assumption that the user’s default shell its /bin/sh

Since the sshconfig roster has yet to land into the release we’ll need to install it from source into the virtualenv. At the time of writting this the commit ID was 33bf0e1 of the develop branch in salt:

git clone
cd salt
python --ssh-packaging install

The last thing we need to go is create the salt directory structure since it’d be better to run salt-ssh as a normal user vs root:

mkdir -p ~/salt-ssh/etc/salt
mkdir -p ~/salt-ssh/var/log/salt
cat << EOF > ~/salt-ssh/Saltfile
  config_dir: etc/salt/
cat << EOF > ~/salt-ssh/etc/salt/master
root_dir: .

Note: The above config might be overkill but this is due to issues with logging and cache dir overrides not working in the Saltfile in 33bf0e1

My example ~/.ssh/config looks like:

Host salty
    User rob
    Protocol 2
    IdentityFile ~/.ssh/id_rsa
Host salty2
    User rob
    Protocol 2
    IdentityFile ~/.ssh/id_rsa

Due to the new sshconfig roster you can now just start targeting minions:

(salt-ssh)$ salt-ssh --roster=sshconfig '*'



Giddy up! salt-ssh is now ready to go and do my bidding!


Python Missing From Target

The hosts that you are targeting with salt-ssh need to have python installed. If they don’t you’ll receive an error like this:

ERROR: salt requires python 2.6 or newer on target hosts, must have same major version as origin host

Wrong IdentityFile

salt-ssh by default will generate its own private key and store it in <config_dir>/etc/salt/pki/master/ssh/id_rsa. Just be explicit about which key you’d like to use in your ssh config (like I was above).