diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2017-12-29 23:24:53 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2017-12-29 23:24:53 -0200 |
commit | 92856ee5fcef52b322a99c40d2e9a4d6663624f4 (patch) | |
tree | 05e61155a1ef618877a7896feeef631f8bc606ee | |
parent | 2a16db7da2b356d0c76c4b4b790fef351beb496e (diff) | |
download | puppet-ekeyd-92856ee5fcef52b322a99c40d2e9a4d6663624f4.tar.gz puppet-ekeyd-92856ee5fcef52b322a99c40d2e9a4d6663624f4.tar.bz2 |
Changes for Debian Stretch
-rw-r--r-- | lib/facter/ekeyd.rb | 4 | ||||
-rw-r--r-- | manifests/base.pp | 2 | ||||
-rw-r--r-- | manifests/init.pp | 14 | ||||
-rw-r--r-- | templates/ekeyd.conf_stretch.erb | 89 |
4 files changed, 99 insertions, 10 deletions
diff --git a/lib/facter/ekeyd.rb b/lib/facter/ekeyd.rb index 4c0a91b..f3abaeb 100644 --- a/lib/facter/ekeyd.rb +++ b/lib/facter/ekeyd.rb @@ -1,7 +1,7 @@ Facter.add('ekeyd_key_present') do setcode do - FileTest.exists?('/proc/bus/usb/devices') && \ - !(File.read('/proc/bus/usb/devices') =~ /Product=Entropy Key/).nil? + FileTest.exists?('/sys/kernel/debug/usb/devices') && \ + !(File.read('/sys/kernel/debug/usb/devices') =~ /Product=Entropy Key/).nil? end end Facter.add('ekeyd_key_present') do diff --git a/manifests/base.pp b/manifests/base.pp index 04e01d3..b448596 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -18,7 +18,7 @@ class ekeyd::base { }, require => Package['ekeyd'], notify => Service['ekeyd'], - owner => root, group => 0, mode => 0644; + owner => root, group => 0, mode => '0644'; } service{'ekeyd': ensure => running, diff --git a/manifests/init.pp b/manifests/init.pp index 3d0e507..ddc9b98 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,7 +3,7 @@ class ekeyd( $ekeyd_masterkey ){ - if $ekeyd_key_present != 'true' { fail("Can't find an ekey key plugged into usb on ${fqdn}") } + if $ekeyd_key_present != true { fail("Can't find an ekey key plugged into usb on ${fqdn}") } case $operatingsystem { debian: { include ekeyd::debian } @@ -16,12 +16,12 @@ class ekeyd( default: { include ekeyd::host::base } } - if $use_shorewall { - include shorewall::rules::ekeyd - } + #if $use_shorewall { + # include shorewall::rules::ekeyd + #} } - if $use_munin { - include ekeyd::munin - } + #if $use_munin { + # include ekeyd::munin + #} } diff --git a/templates/ekeyd.conf_stretch.erb b/templates/ekeyd.conf_stretch.erb new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/templates/ekeyd.conf_stretch.erb @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" |