From e60fb9a027a4b86ad1646cb5daadef49ed5774ff Mon Sep 17 00:00:00 2001
From: Matt Taggart <taggart@riseup.net>
Date: Wed, 20 May 2015 14:55:09 -0700
Subject: add override_builtin parameter to handle the common authorized_key
 directory case

---
 manifests/ssh_authorized_key.pp | 69 +++++++++++++++++++++++++++++++++--------
 1 file changed, 56 insertions(+), 13 deletions(-)

diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
index 7201f8b..2436df6 100644
--- a/manifests/ssh_authorized_key.pp
+++ b/manifests/ssh_authorized_key.pp
@@ -5,7 +5,8 @@ define sshd::ssh_authorized_key(
     $key = 'absent',
     $user = '',
     $target = undef,
-    $options = 'absent'
+    $options = 'absent',
+    $override_builtin = undef
 ){
 
   if ($ensure=='present') and ($key=='absent') {
@@ -29,19 +30,61 @@ define sshd::ssh_authorized_key(
       $real_target = $target
     }
   }
-  ssh_authorized_key{$name:
-    ensure => $ensure,
-    type   => $type,
-    key    => $key,
-    user   => $real_user,
-    target => $real_target,
-  }
 
-  case $options {
-    'absent': { info("not setting any option for ssh_authorized_key: ${name}") }
-    default: {
-      Ssh_authorized_key[$name]{
-        options => $options,
+  # The ssh_authorized_key built-in function (in 2.7.23 at least)
+  # will not write an authorized_keys file for a mortal user to
+  # a directory they don't have write permission to, puppet attempts to
+  # create the file as the user specified with the user parameter and fails.
+  # Since ssh will refuse to use authorized_keys files not owned by the
+  # user, or in files/directories that allow other users to write, this
+  # behavior is deliberate in order to prevent typical non-working
+  # configurations. However, it also prevents the case of puppet, running
+  # as root, writing a file owned by a mortal user to a common
+  # authorized_keys directory such as one might specify in sshd_config with
+  # something like
+  #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
+  # So we provide a way to override the built-in and instead just install
+  # via a file resource. There is no additional security risk here, it's
+  # nothing a user can't already do by writing their own file resources,
+  # we still depend on the filesystem permissions to keep things safe.
+  if $override_builtin {
+    case $options {
+      'absent': {
+        info("not setting any option for ssh_authorized_key: ${name}")
+
+        file { '$real_target':
+          ensure => $ensure,
+          content => '$type $key',
+          owner => '$real_user',
+          mode => '0600';
+        }
+      }
+      default: {
+        file { '$real_target':
+          ensure => $ensure,
+          content => '$options $type $key',
+          owner => '$real_user',
+          mode => '0600';
+        }
+      }
+    }
+  } else {
+    ssh_authorized_key{$name:
+      ensure => $ensure,
+      type   => $type,
+      key    => $key,
+      user   => $real_user,
+      target => $real_target,
+    }
+
+    case $options {
+      'absent': {
+        info("not setting any option for ssh_authorized_key: ${name}")
+      }
+      default: {
+        Ssh_authorized_key[$name]{
+          options => $options,
+        }
       }
     }
   }
-- 
cgit v1.2.3