Merge branch 'master' into 'master'
add override_builtin parameter to handle the common authorized_key directory case riseup uses a common authorized_keys directory and this commit works around a bug in the puppet function that can't handle that. See the longer comment in the code. See merge request !15
This commit is contained in:
Jerome Charaoui
commit
0a2bca5167
1 changed files with 56 additions and 13 deletions
|
|
@ -5,7 +5,8 @@ define sshd::ssh_authorized_key(
|
||||||
$key = 'absent',
|
$key = 'absent',
|
||||||
$user = '',
|
$user = '',
|
||||||
$target = undef,
|
$target = undef,
|
||||||
$options = 'absent'
|
$options = 'absent',
|
||||||
|
$override_builtin = undef
|
||||||
){
|
){
|
||||||
|
|
||||||
if ($ensure=='present') and ($key=='absent') {
|
if ($ensure=='present') and ($key=='absent') {
|
||||||
|
|
@ -29,19 +30,61 @@ define sshd::ssh_authorized_key(
|
||||||
$real_target = $target
|
$real_target = $target
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ssh_authorized_key{$name:
|
|
||||||
ensure => $ensure,
|
|
||||||
type => $type,
|
|
||||||
key => $key,
|
|
||||||
user => $real_user,
|
|
||||||
target => $real_target,
|
|
||||||
}
|
|
||||||
|
|
||||||
case $options {
|
# The ssh_authorized_key built-in function (in 2.7.23 at least)
|
||||||
'absent': { info("not setting any option for ssh_authorized_key: ${name}") }
|
# will not write an authorized_keys file for a mortal user to
|
||||||
default: {
|
# a directory they don't have write permission to, puppet attempts to
|
||||||
Ssh_authorized_key[$name]{
|
# create the file as the user specified with the user parameter and fails.
|
||||||
options => $options,
|
# Since ssh will refuse to use authorized_keys files not owned by the
|
||||||
|
# user, or in files/directories that allow other users to write, this
|
||||||
|
# behavior is deliberate in order to prevent typical non-working
|
||||||
|
# configurations. However, it also prevents the case of puppet, running
|
||||||
|
# as root, writing a file owned by a mortal user to a common
|
||||||
|
# authorized_keys directory such as one might specify in sshd_config with
|
||||||
|
# something like
|
||||||
|
# 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
|
||||||
|
# So we provide a way to override the built-in and instead just install
|
||||||
|
# via a file resource. There is no additional security risk here, it's
|
||||||
|
# nothing a user can't already do by writing their own file resources,
|
||||||
|
# we still depend on the filesystem permissions to keep things safe.
|
||||||
|
if $override_builtin {
|
||||||
|
case $options {
|
||||||
|
'absent': {
|
||||||
|
info("not setting any option for ssh_authorized_key: ${name}")
|
||||||
|
|
||||||
|
file { '$real_target':
|
||||||
|
ensure => $ensure,
|
||||||
|
content => '$type $key',
|
||||||
|
owner => '$real_user',
|
||||||
|
mode => '0600';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
file { '$real_target':
|
||||||
|
ensure => $ensure,
|
||||||
|
content => '$options $type $key',
|
||||||
|
owner => '$real_user',
|
||||||
|
mode => '0600';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
ssh_authorized_key{$name:
|
||||||
|
ensure => $ensure,
|
||||||
|
type => $type,
|
||||||
|
key => $key,
|
||||||
|
user => $real_user,
|
||||||
|
target => $real_target,
|
||||||
|
}
|
||||||
|
|
||||||
|
case $options {
|
||||||
|
'absent': {
|
||||||
|
info("not setting any option for ssh_authorized_key: ${name}")
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
Ssh_authorized_key[$name]{
|
||||||
|
options => $options,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue