Home Explore Help
Register Sign In
opuppet
/
module-sshd
6
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b3e81589ee
Branches Tags
module-sshd
/
manifests
/
ssh_authorized_key.pp

ssh_authorized_key.pp 2.5 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. # wrapper to have some defaults.
    2. 

  2. define sshd::ssh_authorized_key(
    3. 

  3.     $ensure = 'present',
    4. 

  4.     $type = 'ssh-dss',
    5. 

  5.     $key = 'absent',
    6. 

  6.     $user = '',
    7. 

  7.     $target = undef,
    8. 

  8.     $options = 'absent',
    9. 

  9.     $override_builtin = undef
    10. 

  10. ){
    11. 

  11. 

  12.   if ($ensure=='present') and ($key=='absent') {
    13. 

  13.     fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!")
    14. 

  14.   }
    15. 

  15. 

  16.   $real_user = $user ? {
    17. 

  17.     false   => $name,
    18. 

  18.     ''      => $name,
    19. 

  19.     default => $user,
    20. 

  20.   }
    21. 

  21. 

  22.   case $target {
    23. 

  23.     undef,'': {
    24. 

  24.       case $real_user {
    25. 

  25.         'root': { $real_target = '/root/.ssh/authorized_keys' }
    26. 

  26.         default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }
    27. 

  27.       }
    28. 

  28.     }
    29. 

  29.     default: {
    30. 

  30.       $real_target = $target
    31. 

  31.     }
    32. 

  32.   }
    33. 

  33. 

  34.   # The ssh_authorized_key built-in function (in 2.7.23 at least)
    35. 

  35.   # will not write an authorized_keys file for a mortal user to
    36. 

  36.   # a directory they don't have write permission to, puppet attempts to
    37. 

  37.   # create the file as the user specified with the user parameter and fails.
    38. 

  38.   # Since ssh will refuse to use authorized_keys files not owned by the
    39. 

  39.   # user, or in files/directories that allow other users to write, this
    40. 

  40.   # behavior is deliberate in order to prevent typical non-working
    41. 

  41.   # configurations. However, it also prevents the case of puppet, running
    42. 

  42.   # as root, writing a file owned by a mortal user to a common
    43. 

  43.   # authorized_keys directory such as one might specify in sshd_config with
    44. 

  44.   # something like
    45. 

  45.   #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
    46. 

  46.   # So we provide a way to override the built-in and instead just install
    47. 

  47.   # via a file resource. There is no additional security risk here, it's
    48. 

  48.   # nothing a user can't already do by writing their own file resources,
    49. 

  49.   # we still depend on the filesystem permissions to keep things safe.
    50. 

  50.   if $override_builtin {
    51. 

  51.     $header = "# HEADER: This file is managed by Puppet.\n"
    52. 

  52. 

  53.     if $options == 'absent' {
    54. 

  54.       info("not setting any option for ssh_authorized_key: ${name}")
    55. 

  55.       $content = "${header}${type} ${key}\n"
    56. 

  56.     } else {
    57. 

  57.       $content = "${header}${options} ${type} ${key}\n"
    58. 

  58.     }
    59. 

  59. 

  60.     file { $real_target:
    61. 

  61.       ensure  => $ensure,
    62. 

  62.       content => $content,
    63. 

  63.       owner   => $real_user,
    64. 

  64.       mode    => '0600',
    65. 

  65.     }
    66. 

  66. 

  67.   } else {
    68. 

  68. 

  69.     if $options == 'absent' {
    70. 

  70.       info("not setting any option for ssh_authorized_key: ${name}")
    71. 

  71.     } else {
    72. 

  72.       $real_options = $options
    73. 

  73.     }
    74. 

  74. 

  75.     ssh_authorized_key{$name:
    76. 

  76.       ensure  => $ensure,
    77. 

  77.       type    => $type,
    78. 

  78.       key     => $key,
    79. 

  79.       user    => $real_user,
    80. 

  80.       target  => $real_target,
    81. 

  81.       options => $real_options,
    82. 

  82.     }
    83. 

  83.   }
    84. 

  84. 

  85. }
    86.