From 6f7a28d95e447f7368459de4f998d9d1d8c4f961 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 11 Apr 2013 16:06:29 -0300 Subject: Adding code to manage ssh host identification, but not enabled by default --- manifests/instance.pp | 71 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/instance.pp b/manifests/instance.pp index ac8618a..a8d3e4e 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -1,7 +1,7 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description = false, $adminuser = 'yourname', $adminemail = 'me@example.org', $instance = 'ikiwiki', $account_creation_password = false, $add_plugins = false, $disable_plugins = false, - $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$name") { + $protocol = 'https', $owner = $name, $group = $name, $home = "/home/$name", $ssh_localhost_auth = false) { $desc = $description ? { false => $title, @@ -25,7 +25,6 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description refreshonly => true, } - # TODO: shall we add NoHostAuthenticationForLocalhost in the user ssh config? exec { "ssh-keygen-ikiwiki-${name}_${instance}": command => "ssh-keygen -t rsa -P '' -f ${home}/.ssh/id_rsa", creates => "${home}/.ssh/id_rsa", @@ -62,6 +61,74 @@ define ikiwiki::instance($base_url = $domain, $ensure = 'present', $description group => $group, mode => 0700, } + + file { "${home}/.ssh/config": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + file { "${home}/.ssh/known_hosts": + ensure => present, + owner => $owner, + group => $group, + mode => 0600, + require => File["${home}/.ssh"], + } + + # The NoHostAuthenticationForLocalhost ssh option might be useful + # for automated deployment environments so your ikiwiki user doesn't + # get stuck with the fingerprint confirmation prompt when pushing + # content via ssh in the first time it runs. + line { 'NoHostAuthenticationForLocalhost-${owner}': + file => "${home}/.ssh/config", + line => "NoHostAuthenticationForLocalhost yes", + ensure => $ssh_localhost_auth ? { + 'auto' => present, + 'fingerprint' => absent, + 'default' => absent, + }, + } + + # Alternativelly, you can choose to include the host's fingeprints + # directly into the known_hosts file. + if $::sshrsakey != '' { + line { 'known_hosts-localhost-rsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-rsa ${::sshrsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + 'default' => undef, + }, + } + } + + if $::sshdsakey != '' { + line { 'known_hosts-localhost-dsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ssh-dss ${::sshdsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + 'default' => undef, + }, + } + } + + if $::sshecdsakey != '' { + line { 'known_hosts-localhost-ecdsa-${owner}': + file => "${home}/.ssh/known_hosts", + line => "localhost ecdsa-sha2-nistp256 ${::sshedsakey}", + ensure => $ssh_localhost_auth ? { + 'fingerprint' => present, + 'auto' => undef, + 'default' => undef, + }, + } + } } if !defined(File["${ikiwiki::sites_folder}/${name}"]) { -- cgit v1.2.3