module-sshd/manifests/ssh_authorized_key.pp

# wrapper to have some defaults.
define sshd::ssh_authorized_key(
    $ensure = 'present',
    $type = 'ssh-dss',
    $key = 'absent',
    $user = '',
    $target = undef,
    $options = 'absent',
    $override_builtin = undef
){

  if ($ensure=='present') and ($key=='absent') {
    fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!")
  }

  $real_user = $user ? {
    false   => $name,
    ''      => $name,
    default => $user,
  }

  case $target {
    undef,'': {
      case $real_user {
        'root': { $real_target = '/root/.ssh/authorized_keys' }
        default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }
      }
    }
    default: {
      $real_target = $target
    }
  }

  # The ssh_authorized_key built-in function (in 2.7.23 at least)
  # will not write an authorized_keys file for a mortal user to
  # a directory they don't have write permission to, puppet attempts to
  # create the file as the user specified with the user parameter and fails.
  # Since ssh will refuse to use authorized_keys files not owned by the
  # user, or in files/directories that allow other users to write, this
  # behavior is deliberate in order to prevent typical non-working
  # configurations. However, it also prevents the case of puppet, running
  # as root, writing a file owned by a mortal user to a common
  # authorized_keys directory such as one might specify in sshd_config with
  # something like
  #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
  # So we provide a way to override the built-in and instead just install
  # via a file resource. There is no additional security risk here, it's
  # nothing a user can't already do by writing their own file resources,
  # we still depend on the filesystem permissions to keep things safe.
  if $override_builtin {
    $header = "# HEADER: This file is managed by Puppet.\n"

    if $options == 'absent' {
      info("not setting any option for ssh_authorized_key: ${name}")
      $content = "${header}${type} ${key}\n"
    } else {
      $content = "${header}${options} ${type} ${key}\n"
    }

    file { $real_target:
      ensure  => $ensure,
      content => $content,
      owner   => $real_user,
      mode    => '0600',
    }

  } else {

    if $options == 'absent' {
      info("not setting any option for ssh_authorized_key: ${name}")
    } else {
      $real_options = $options
    }

    ssh_authorized_key{$name:
      ensure  => $ensure,
      type    => $type,
      key     => $key,
      user    => $real_user,
      target  => $real_target,
      options => $real_options,
    }
  }

}
factor everything into its own file 2009-09-29 19:53:04 +02:00			`# wrapper to have some defaults.`
			`define sshd::ssh_authorized_key(`
enable that ssh auth-keys can be removed 2009-12-18 18:36:05 +01:00			`$ensure = 'present',`
factor everything into its own file 2009-09-29 19:53:04 +02:00			`$type = 'ssh-dss',`
make key removal a bit easier 2009-12-18 19:06:43 +01:00			`$key = 'absent',`
ssh_authorized_key: use $name for user by default Currently ssh_authorized_key has some logic about $user being false or '', but it sets its value to default to 'root'. So, in order to use the name as the user's name, one has to clear the user parameter, which is totally redundant. Since it is sometimes useful to publish multiple keys for a user, the $user parameter is useful. To make using ssh_authorized_key for one-key normal users simpler, make $user default to being empty (which will use $name as the user name). 'root' can always be specified either via the name or by the $user paramter. Signed-off-by: Gabriel Filion <lelutin@gmail.com> 2011-01-20 08:25:32 +01:00			`$user = '',`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`$target = undef,`
add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 23:55:09 +02:00			`$options = 'absent',`
			`$override_builtin = undef`
factor everything into its own file 2009-09-29 19:53:04 +02:00			`){`

make key removal a bit easier 2009-12-18 19:06:43 +01:00			`if ($ensure=='present') and ($key=='absent') {`
			`fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!")`
			`}`

merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`$real_user = $user ? {`
style fixes silence puppet-lint 2013-02-03 00:30:54 +01:00			`false => $name,`
			`'' => $name,`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`default => $user,`
			`}`

			`case $target {`
undef or '' as default 2009-12-10 23:34:57 +01:00			`undef,'': {`
			`case $real_user {`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`'root': { $real_target = '/root/.ssh/authorized_keys' }`
Fix ssh_authorized_key When one uses the $name to define the user that should receive an SSH key, setting $user to a negative value, ssh_authorized_key currently creates the authorized_keys file under /home/.ssh/authorized_keys Fix this by changing ${user} to ${real_user} in the key's path. Signed-off-by: Gabriel Filion <lelutin@gmail.com> 2011-01-20 02:45:59 +01:00			`default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`}`
factor everything into its own file 2009-09-29 19:53:04 +02:00			`}`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`default: {`
			`$real_target = $target`
factor everything into its own file 2009-09-29 19:53:04 +02:00			`}`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`}`
factor everything into its own file 2009-09-29 19:53:04 +02:00
add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 23:55:09 +02:00			`# The ssh_authorized_key built-in function (in 2.7.23 at least)`
			`# will not write an authorized_keys file for a mortal user to`
			`# a directory they don't have write permission to, puppet attempts to`
			`# create the file as the user specified with the user parameter and fails.`
			`# Since ssh will refuse to use authorized_keys files not owned by the`
			`# user, or in files/directories that allow other users to write, this`
			`# behavior is deliberate in order to prevent typical non-working`
			`# configurations. However, it also prevents the case of puppet, running`
			`# as root, writing a file owned by a mortal user to a common`
			`# authorized_keys directory such as one might specify in sshd_config with`
			`# something like`
			`# 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'`
			`# So we provide a way to override the built-in and instead just install`
			`# via a file resource. There is no additional security risk here, it's`
			`# nothing a user can't already do by writing their own file resources,`
			`# we still depend on the filesystem permissions to keep things safe.`
			`if $override_builtin {`
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00			`$header = "# HEADER: This file is managed by Puppet.\n"`
add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 23:55:09 +02:00
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00			`if $options == 'absent' {`
			`info("not setting any option for ssh_authorized_key: ${name}")`
Add newline to ssh_authorized_key file content 2015-05-21 19:20:38 +02:00			`$content = "${header}${type} ${key}\n"`
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00			`} else {`
Add newline to ssh_authorized_key file content 2015-05-21 19:20:38 +02:00			`$content = "${header}${options} ${type} ${key}\n"`
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00			`}`

			`file { $real_target:`
			`ensure => $ensure,`
			`content => $content,`
			`owner => $real_user,`
			`mode => '0600',`
add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 23:55:09 +02:00			`}`
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00
add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 23:55:09 +02:00			`} else {`
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00
			`if $options == 'absent' {`
			`info("not setting any option for ssh_authorized_key: ${name}")`
			`} else {`
			`$real_options = $options`
add override_builtin parameter to handle the common authorized_key directory case 2015-05-20 23:55:09 +02:00			`}`

Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00			`ssh_authorized_key{$name:`
			`ensure => $ensure,`
			`type => $type,`
			`key => $key,`
			`user => $real_user,`
			`target => $real_target,`
			`options => $real_options,`
Revert "Simplify ssh_authorized_key" puppet-lint complains about "selector inside resource" This reverts commit f3c0115743cab9d4e6c08b654b67631566572d41. 2015-05-21 19:12:18 +02:00			`}`
merged with riseup module, various cleaning up 2009-12-10 23:15:07 +01:00			`}`
Simplify ssh_authorized_key 2015-05-21 19:19:40 +02:00
factor everything into its own file 2009-09-29 19:53:04 +02:00			`}`