summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2013-06-27 10:52:54 +0200
committerMicah Anderson <micah@riseup.net>2013-06-30 12:51:35 -0400
commit6c34c73f7e4c5203321547b699c6eaba9de8e2fe (patch)
tree96ca00bde1b03468508301e3a28565035f49fd58
parent3b6f11a60778d5cb3ae265980e4e4870bf065de2 (diff)
switch to own define for managing ssh keys
The problem with puppet's built-in ssh_authorized_key is that you can purge unmanaged keys in a authorized_keys file. see https://leap.se/code/issues/3010 for details. Conflicts: puppet/modules/site_sshd/manifests/authorized_keys.pp Change-Id: I640bf7ebc0f0f7fb19cc46feb4cb2702d6561a9b
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys.pp23
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys/key.pp8
-rw-r--r--puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp9
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp2
-rw-r--r--puppet/modules/site_sshd/templates/authorized_keys.erb6
5 files changed, 34 insertions, 14 deletions
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index 8e0c15ac..c18f691c 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,6 +1,19 @@
-class site_sshd::authorized_keys ( $keys = $site_sshd::authorized_keys ) {
- tag 'leap_authorized_keys'
-
- create_resources(site_sshd::authorized_keys::key, $keys)
-
+define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
+ # This line allows default homedir based on $title variable.
+ # If $home is empty, the default is used.
+ $homedir = $home ? {'' => "/home/${title}", default => $home}
+ file {
+ "${homedir}/.ssh":
+ ensure => 'directory',
+ owner => $title,
+ group => $title,
+ mode => '0700';
+ "${homedir}/.ssh/authorized_keys":
+ ensure => $ensure,
+ owner => $ensure ? {'present' => $title, default => undef },
+ group => $ensure ? {'present' => $title, default => undef },
+ mode => '0600',
+ require => File["${homedir}/.ssh"],
+ content => template('site_sshd/authorized_keys.erb');
+ }
}
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp b/puppet/modules/site_sshd/manifests/authorized_keys/key.pp
deleted file mode 100644
index 56271cdc..00000000
--- a/puppet/modules/site_sshd/manifests/authorized_keys/key.pp
+++ /dev/null
@@ -1,8 +0,0 @@
-define site_sshd::authorized_keys::key ($key, $type) {
- ssh_authorized_key {
- $name:
- type => $type,
- user => 'root',
- key => $key
- }
-}
diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp
new file mode 100644
index 00000000..97ca058f
--- /dev/null
+++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp
@@ -0,0 +1,9 @@
+class site_sshd::deploy_authorized_keys ( $keys ) {
+ tag 'leap_authorized_keys'
+
+ site_sshd::authorized_keys {'root':
+ keys => $keys,
+ home => '/root'
+ }
+
+}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index 905d5c9b..90dd2d0e 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -7,7 +7,7 @@ class site_sshd {
$authorized_keys = $ssh['authorized_keys']
- class { 'site_sshd::authorized_keys':
+ class { 'site_sshd::deploy_authorized_keys':
keys => $authorized_keys
}
diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb
new file mode 100644
index 00000000..3c65e8ab
--- /dev/null
+++ b/puppet/modules/site_sshd/templates/authorized_keys.erb
@@ -0,0 +1,6 @@
+# NOTICE: This file is autogenerated by Puppet
+# all manually added keys will be overridden
+
+<% keys.sort.each do |user, hash| -%>
+<%=hash['type']-%> <%=hash['key']%> <%=user%>
+<% end -%>