aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README61
-rw-r--r--manifests/init.pp227
-rw-r--r--templates/authorized_user_ids.erb6
-rw-r--r--templates/monkeysphere-authentication.conf.erb34
-rw-r--r--templates/monkeysphere-host.conf.erb15
-rw-r--r--templates/monkeysphere.conf.erb39
6 files changed, 351 insertions, 31 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..a1d3595
--- /dev/null
+++ b/README
@@ -0,0 +1,61 @@
+The monkeysphere puppet module is designed to help you manage your servers
+and users using the monkeysphere[0].
+
+Example usage for server setup:
+
+ # Assuming you are using the sshd puppet module...
+ $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u"
+ include sshd
+
+ # Optionally, indicate your preferred keyserver. You can specify a server
+ # under your control and not accessible to the public or
+ # pool.sks-keyservers.net if you want to publish to the public pool. The
+ # value you specify here will be used for all monkeysphere and gpg commands
+ $monkeysphere_keyserver = "zimmermann.mayfirst.org"
+ include monkeysphere
+
+ # Ensure the server's ssh key is imported into your monkeysphere key ring
+ monkeysphere::import_key { "main": }
+
+ # Optionally publish the server key to a keyserver (as indicated above)
+ monkeysphere::publish_server_keys { "main": }
+
+ # Optionally email the server key to your self
+ monkeysphere::email_server_keys { "we@ourdomain.org": }
+
+ # Be sure to sign the server's key!
+
+ # Indiciate the fingerprint of the gpg key that should be used
+ # to verify user ids. You can repeat this for as many certifiers
+ # as you need
+ monkeysphere::add_id_certifier { "jamie":
+ keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935"
+ }
+
+ # Indicate who should have root access on the server
+ monkeysphere::authorized_user_ids { "root":
+ user_ids => [ "sarah <sarah@ourgroup.org>" , "jose <josue@ourgroup.org" ]
+ }
+
+In addition, you may want to create a password-less key for a user to use
+when logging into another server (e.g. if you want automated backups from
+one server to another).
+
+Example usage for user setup:
+
+ # Ensure that the root user has authentication capable
+ # monkeysphere key
+ monkeysphere::auth_capable_user { "root": }
+
+ # Optionally publish the key
+ monkeysphere::publish_user_key { "root": }
+
+ # Grant full trust to a gpg key so the root user can properly
+ # authenticate servers to which it connects
+ # You can run this as many times as you want
+ monkeysphere::owner_trust { "jamie":
+ fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9"
+ }
+
+
+0. http://monkeysphere.info/
diff --git a/manifests/init.pp b/manifests/init.pp
index 991a8df..64e2645 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -19,49 +19,214 @@
#
# Class for monkeysphere management
#
-class monkeysphere {
+
+class monkeysphere inherits monkeysphere::defaults {
# The needed packages
package { monkeysphere: ensure => installed, }
- $ssh_port = $monkeysphere_ssh_port ? {
- '' => '',
- default => ":$monkeysphere_ssh_port",
+ file { "monkeysphere_conf":
+ path => "/etc/monkeysphere/monkeysphere.conf",
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere.conf.erb"),
+ }
+ file { "monkeysphere_host_conf":
+ path => "/etc/monkeysphere/monkeysphere-host.conf",
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere-host.conf.erb"),
+ }
+ file { "monkeysphere_authentication_conf":
+ path => "/etc/monkeysphere/monkeysphere-authentication.conf",
+ mode => 644,
+ ensure => present,
+ content => template("monkeysphere/monkeysphere-authentication.conf.erb"),
}
- $key = "ssh://${fqdn}${ssh_port}"
-
+ # This was the old way which the module checked monkeysphere keys
file { "/usr/local/sbin/monkeysphere-check-key":
- ensure => present,
+ ensure => absent,
owner => root,
group => root,
mode => 0755,
content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false",
}
+}
+
+class monkeysphere::defaults {
+ $keyserver = $monkeysphere_keyserver ? {
+ '' => 'pool.sks-keyservers.net',
+ default => $monkeysphere_keyserver
+ }
+}
+
+define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {
+
+ # if we're getting a port number, prefix with a colon so it's valid
+ $prefixed_port = $port ? {
+ '' => '',
+ default => ":$port"
+ }
+
+ $key = "${scheme}${fqdn}${prefixed_port}"
+
+ exec { "monkeysphere-host import-key $path $key":
+ alias => "monkeysphere-import-key",
+ require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ],
+ unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
+ }
+}
- # Server host key publication
- case $monkeysphere_publish_key {
- false: {
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key":
- unless => "/usr/local/sbin/monkeysphere-check-key",
- user => "root",
- require => [ Package["monkeysphere"], File["/usr/local/sbin/monkeysphere-check-key"] ],
- }
- }
- 'mail': {
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key && \
- /usr/bin/mail -s 'monkeysphere host pgp key for $fqdn' root < /var/lib/monkeysphere/host_keys.pub.pgp":
- unless => "/usr/local/sbin/monkeysphere-check-key",
- user => "root",
- require => [ Package["monkeysphere"], File["/usr/local/sbin/monkeysphere-check-key"] ],
- }
- }
+# Server host key publication
+define monkeysphere::publish_server_keys ( $keyid = '--all' ) {
+ exec { "monkeysphere-host publish-keys $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ],
+ }
+}
+
+# optionally, mail key somehwere
+define monkeysphere::email_server_keys ( ) {
+ $email = $title
+ exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
+ require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
+ }
+}
+
+# add certifiers
+define monkeysphere::add_id_certifier( $keyid ) {
+ exec { "monkeysphere-authentication add-id-certifier $keyid":
+ environment => "MONKEYSPHERE_PROMPT=false",
+ require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ],
+ unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
+ }
+}
+
+define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') {
+ $user = $title
+ $calculated_group = $group ? {
+ '' => $user,
+ default => $group
+ }
+
+ # don't require user if it's root because root is not handled
+ # by puppet
+ case $user {
+ root: {
+ file {
+ $dest_dir:
+ owner => $user,
+ group => $calculated_group,
+ mode => 755,
+ ensure => directory,
+ }
+ }
default: {
- exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key && \
- /usr/sbin/monkeysphere-host publish-key":
- unless => "/usr/local/sbin/monkeysphere-check-key",
- user => "root",
- require => [ Package["monkeysphere"], File["/usr/local/sbin/monkeysphere-check-key"] ],
- }
- }
+ file {
+ $dest_dir:
+ owner => $user,
+ group => $calculated_group,
+ mode => 755,
+ ensure => directory,
+ require => User[$user]
+ }
+ }
+ }
+
+ file {
+ "${dest_dir}/${dest_file}":
+ owner => $user,
+ group => $calculated_group,
+ mode => 644,
+ content => template('monkeysphere/authorized_user_ids.erb'),
+ ensure => present,
+ recurse => true,
+ require => File[$dest_dir]
+ }
+
+ exec { "monkeysphere-authentication update-users $user":
+ refreshonly => true,
+ require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ],
+ subscribe => File["${dest_dir}/${dest_file}"]
+ }
+}
+
+# ensure that the user has a gpg key created and it is authentication capable
+# in the monkeysphere. This is intended to be the same as generated a
+# password-less ssh key
+#
+define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048",
+ $uid_name = undef, $email = undef ) {
+
+ $user = $title
+
+ # The goal is no passphrase, monkeysphere won't work without a passphrase.
+ $calculated_passphrase = $gpg_auto_password ? {
+ '' => 'monkeys',
+ default => $gpg_auto_password
+ }
+
+ $calculated_name = $uid_name ? {
+ '' => "$user user",
+ default => $uid_name
+ }
+ $calculated_email = $email ? {
+ '' => "$user@$fqdn",
+ default => $email
+ }
+ exec { "monkeysphere-gen-key-$user":
+ command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --list-secret-key | grep ^sec >/dev/null"
+ }
+
+ #FIXME - we should check expiration date and extend it if we're < n days before expiration
+
+ # handle auth subkey
+ exec { "monkeysphere-gen-subkey-$user":
+ command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
+ user => $user,
+ unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null"
+ }
+
+}
+
+define monkeysphere::publish_user_key ( ){
+ $user = $title
+
+ $keyserver_arg = $monkeysphere_keyserver ? {
+ '' => '',
+ default => "--keyserver $monkeysphere_keyserver"
+ }
+
+ exec { "monkeysphere-gpg-send-key-$user":
+ command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)",
+ require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
+ user => $user,
+ }
+
+}
+
+define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) {
+ $keyserver_arg = $monkeysphere_keyserver ? {
+ '' => '',
+ default => "--keyserver $monkeysphere_keyserver"
+ }
+
+ # ensure the key is in the key ring
+ exec { "monkeysphere-gpg-recv-key-$user-$fingerprint":
+ command => "gpg $keyserver_arg --recv-key $fingerprint",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --list-key $fingerprint 2>&1 >/dev/null"
+ }
+ # provide ownertrust
+ exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint":
+ command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust",
+ require => [ Package["monkeysphere"] ],
+ user => $user,
+ unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null"
}
}
diff --git a/templates/authorized_user_ids.erb b/templates/authorized_user_ids.erb
new file mode 100644
index 0000000..9313c6b
--- /dev/null
+++ b/templates/authorized_user_ids.erb
@@ -0,0 +1,6 @@
+# This file is maintained by puppet, changes will be overwritten
+<% if user_ids.is_a? String -%>
+<%= user_ids %>
+<% elsif user_ids.is_a? Array -%>
+<%= user_ids.map { |i| "#{i}" }.join("\n") %>
+<% end -%>
diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb
new file mode 100644
index 0000000..1b13cfd
--- /dev/null
+++ b/templates/monkeysphere-authentication.conf.erb
@@ -0,0 +1,34 @@
+# Monkeysphere authentication configuration file.
+
+# This is an sh-style shell configuration file. Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# OpenPGP keyserver
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
+# User who controls the monkeysphere 'sphere' keyring.
+#MONKEYSPHERE_USER=monkeysphere
+
+# Whether or not to query keyservers by default
+#CHECK_KEYSERVER=true
+
+# Path to authorized_user_ids file to process to create
+# authorized_keys file. '%h' will be replaced by the home directory
+# of the user, and '%u' will be replaced by the username of the user.
+# For purely admin-controlled authorized_user_ids, you might put them
+# in /etc/monkeysphere/authorized_user_ids/%u, for instance.
+#AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids"
+#
+# Path to a user controlled authorized_keys file to be added to the
+# monkeysphere-generated authorized_keys file. '%h' will be replaced
+# by the home directory of the user, and '%u' will by replaced by the
+# username of the user. Setting this variable to 'none' prevents the
+# inclusion of user controlled authorized_keys file.
+#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
diff --git a/templates/monkeysphere-host.conf.erb b/templates/monkeysphere-host.conf.erb
new file mode 100644
index 0000000..418c696
--- /dev/null
+++ b/templates/monkeysphere-host.conf.erb
@@ -0,0 +1,15 @@
+# Monkeysphere host configuration file.
+
+# This is an sh-style shell configuration file. Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# OpenPGP keyserver
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb
new file mode 100644
index 0000000..53e4b9e
--- /dev/null
+++ b/templates/monkeysphere.conf.erb
@@ -0,0 +1,39 @@
+# Monkeysphere system-wide client configuration file.
+
+# This is an sh-style shell configuration file. Variable names should
+# be separated from their assignments by a single '=' and no spaces.
+# Environment variables with the same names as these variables but
+# prefaced by "MONKEYSPHERE_" will take precedence over the values
+# specified here.
+
+# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in
+# increasing order of verbosity.
+#LOG_LEVEL=INFO
+
+# GPG home directory. If not specified either here or in the
+# MONKEYSPHERE_GNUPGHOME environment variable, then the value of the
+# GNUPGHOME environment variable will be used. If GNUPGHOME is not
+# set either, then the default value is listed below.
+#GNUPGHOME=~/.gnupg
+
+# GPG keyserver to search for keys.
+#KEYSERVER=pool.sks-keyservers.net
+<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %>
+# Set whether or not to check keyservers at every monkeysphere
+# interaction, including all ssh connections if you use the
+# monkeysphere ssh-proxycommand. Leave unset for default behavior
+# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false.
+# NOTE: setting CHECK_KEYSERVER explicitly to true will leak
+# information about the timing and frequency of your ssh connections
+# to the maintainer of the keyserver.
+#CHECK_KEYSERVER=true
+
+# The path to the SSH known_hosts file.
+#KNOWN_HOSTS=~/.ssh/known_hosts
+
+# Whether or not to hash the generated known_hosts lines.
+# Should be "true" or "false".
+#HASH_KNOWN_HOSTS=false
+
+# The path to the SSH authorized_keys file.
+#AUTHORIZED_KEYS=~/.ssh/authorized_keys