manifests/ssh_authorized_key.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# wrapper to have some defaults.
define sshd::ssh_authorized_key(
    $ensure = 'present',
    $type = 'ssh-dss',
    $key = 'absent',
    $user = '',
    $target = undef,
    $options = 'absent',
    $override_builtin = undef
){

  if ($ensure=='present') and ($key=='absent') {
    fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!")
  }

  $real_user = $user ? {
    false   => $name,
    ''      => $name,
    default => $user,
  }

  case $target {
    undef,'': {
      case $real_user {
        'root': { $real_target = '/root/.ssh/authorized_keys' }
        default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }
      }
    }
    default: {
      $real_target = $target
    }
  }

  # The ssh_authorized_key built-in function (in 2.7.23 at least)
  # will not write an authorized_keys file for a mortal user to
  # a directory they don't have write permission to, puppet attempts to
  # create the file as the user specified with the user parameter and fails.
  # Since ssh will refuse to use authorized_keys files not owned by the
  # user, or in files/directories that allow other users to write, this
  # behavior is deliberate in order to prevent typical non-working
  # configurations. However, it also prevents the case of puppet, running
  # as root, writing a file owned by a mortal user to a common
  # authorized_keys directory such as one might specify in sshd_config with
  # something like
  #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
  # So we provide a way to override the built-in and instead just install
  # via a file resource. There is no additional security risk here, it's
  # nothing a user can't already do by writing their own file resources,
  # we still depend on the filesystem permissions to keep things safe.
  if $override_builtin {
    $header = "# HEADER: This file is managed by Puppet.\n"

    if $options == 'absent' {
      info("not setting any option for ssh_authorized_key: ${name}")
      $content = "${header}${type} ${key}\n"
    } else {
      $content = "${header}${options} ${type} ${key}\n"
    }

    file { $real_target:
      ensure  => $ensure,
      content => $content,
      owner   => $real_user,
      mode    => '0600',
    }

  } else {

    if $options == 'absent' {
      info("not setting any option for ssh_authorized_key: ${name}")
    } else {
      $real_options = $options
    }

    ssh_authorized_key{$name:
      ensure  => $ensure,
      type    => $type,
      key     => $key,
      user    => $real_user,
      target  => $real_target,
      options => $real_options,
    }
  }

}