various ssh key fixes (REQUIRES rebuilding vagrant nodes).

1 files changed, 24 insertions, 0 deletions

diff --git a/lib/leap_cli/remote/tasks.rb b/lib/leap_cli/remote/tasks.rb
index 5b0418a..9f24599 100644
--- a/lib/leap_cli/remote/tasks.rb
+++ b/lib/leap_cli/remote/tasks.rb
@@ -12,6 +12,30 @@ task :install_authorized_keys, :max_hosts => MAX_HOSTS do
   end
 end
 
+#
+# for vagrant nodes, we don't overwrite authorized_keys, because we want to keep the insecure vagrant key.
+# instead we install to authorized_keys2, which is also used by sshd.
+#
+# why?
+#   without it, it might be impossible to re-initialize a node.
+#
+# ok, why is that?
+#   when we init a vagrant node, we force it to use the insecure vagrant key, and not the user's keys
+#   (so re-initialization would be impossible if authorized_keys doesn't include insecure key).
+#
+# ok, why force the insecure vagrant key in the first place?
+#   if we don't do this, then first time initialization might fail if the user has many keys
+#   (ssh will bomb out before it gets to the vagrant key).
+#   and it really doesn't make sense to ask users to pin the insecure vagrant key in their
+#   .ssh/config files.
+#
+task :install_authorized_keys2, :max_hosts => MAX_HOSTS do
+  leap.log :updating, "authorized_keys2" do
+    leap.mkdirs '/root/.ssh'
+    upload LeapCli::Path.named_path(:authorized_keys), '/root/.ssh/authorized_keys2', :mode => '600'
+  end
+end
+
 task :install_prerequisites, :max_hosts => MAX_HOSTS do
   leap.mkdirs LeapCli::PUPPET_DESTINATION
   leap.log :updating, "package list" do