From 82a1295f3a41ace4be6398945dd53e9c300a6d11 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Thu, 13 Mar 2014 00:57:44 -0700
Subject: various ssh key fixes (REQUIRES rebuilding vagrant nodes).

---
 lib/leap_cli/remote/tasks.rb | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'lib/leap_cli/remote/tasks.rb')

diff --git a/lib/leap_cli/remote/tasks.rb b/lib/leap_cli/remote/tasks.rb
index 5b0418a..9f24599 100644
--- a/lib/leap_cli/remote/tasks.rb
+++ b/lib/leap_cli/remote/tasks.rb
@@ -12,6 +12,30 @@ task :install_authorized_keys, :max_hosts => MAX_HOSTS do
   end
 end
 
+#
+# for vagrant nodes, we don't overwrite authorized_keys, because we want to keep the insecure vagrant key.
+# instead we install to authorized_keys2, which is also used by sshd.
+#
+# why?
+#   without it, it might be impossible to re-initialize a node.
+#
+# ok, why is that?
+#   when we init a vagrant node, we force it to use the insecure vagrant key, and not the user's keys
+#   (so re-initialization would be impossible if authorized_keys doesn't include insecure key).
+#
+# ok, why force the insecure vagrant key in the first place?
+#   if we don't do this, then first time initialization might fail if the user has many keys
+#   (ssh will bomb out before it gets to the vagrant key).
+#   and it really doesn't make sense to ask users to pin the insecure vagrant key in their
+#   .ssh/config files.
+#
+task :install_authorized_keys2, :max_hosts => MAX_HOSTS do
+  leap.log :updating, "authorized_keys2" do
+    leap.mkdirs '/root/.ssh'
+    upload LeapCli::Path.named_path(:authorized_keys), '/root/.ssh/authorized_keys2', :mode => '600'
+  end
+end
+
 task :install_prerequisites, :max_hosts => MAX_HOSTS do
   leap.mkdirs LeapCli::PUPPET_DESTINATION
   leap.log :updating, "package list" do
-- 
cgit v1.2.3