diff options
author | Micah <micah@leap.se> | 2016-07-12 16:45:28 -0400 |
---|---|---|
committer | Micah <micah@leap.se> | 2016-07-12 16:45:28 -0400 |
commit | 4ccae8700fb136bfbc6b7ef7bb0ab482e632139f (patch) | |
tree | 9711bb668fb93ebb05b7efad982f3d988c88afd7 /puppet/modules/sshd/manifests/ssh_authorized_key.pp | |
parent | b85f8c1b914a09b6001d4c1b5c7d07ef17ac766f (diff) |
git subrepo clone https://leap.se/git/puppet_sshd puppet/modules/sshd
subrepo:
subdir: "puppet/modules/sshd"
merged: "76f4f87"
upstream:
origin: "https://leap.se/git/puppet_sshd"
branch: "master"
commit: "76f4f87"
git-subrepo:
version: "0.3.0"
origin: "https://github.com/ingydotnet/git-subrepo"
commit: "1e79595"
Change-Id: Icf616796837cdbe40deb188d2b72f1c726c9e807
Diffstat (limited to 'puppet/modules/sshd/manifests/ssh_authorized_key.pp')
-rw-r--r-- | puppet/modules/sshd/manifests/ssh_authorized_key.pp | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/puppet/modules/sshd/manifests/ssh_authorized_key.pp b/puppet/modules/sshd/manifests/ssh_authorized_key.pp new file mode 100644 index 00000000..80cb3b70 --- /dev/null +++ b/puppet/modules/sshd/manifests/ssh_authorized_key.pp @@ -0,0 +1,85 @@ +# wrapper to have some defaults. +define sshd::ssh_authorized_key( + $ensure = 'present', + $type = 'ssh-dss', + $key = 'absent', + $user = '', + $target = undef, + $options = 'absent', + $override_builtin = undef +){ + + if ($ensure=='present') and ($key=='absent') { + fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!") + } + + $real_user = $user ? { + false => $name, + '' => $name, + default => $user, + } + + case $target { + undef,'': { + case $real_user { + 'root': { $real_target = '/root/.ssh/authorized_keys' } + default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" } + } + } + default: { + $real_target = $target + } + } + + # The ssh_authorized_key built-in function (in 2.7.23 at least) + # will not write an authorized_keys file for a mortal user to + # a directory they don't have write permission to, puppet attempts to + # create the file as the user specified with the user parameter and fails. + # Since ssh will refuse to use authorized_keys files not owned by the + # user, or in files/directories that allow other users to write, this + # behavior is deliberate in order to prevent typical non-working + # configurations. However, it also prevents the case of puppet, running + # as root, writing a file owned by a mortal user to a common + # authorized_keys directory such as one might specify in sshd_config with + # something like + # 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u' + # So we provide a way to override the built-in and instead just install + # via a file resource. There is no additional security risk here, it's + # nothing a user can't already do by writing their own file resources, + # we still depend on the filesystem permissions to keep things safe. + if $override_builtin { + $header = "# HEADER: This file is managed by Puppet.\n" + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + $content = "${header}${type} ${key}\n" + } else { + $content = "${header}${options} ${type} ${key}\n" + } + + file { $real_target: + ensure => $ensure, + content => $content, + owner => $real_user, + mode => '0600', + } + + } else { + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + } else { + $real_options = $options + } + + ssh_authorized_key{$name: + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + options => $real_options, + } + } + +} |