diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | README | 15 | ||||
| -rw-r--r-- | files/etc/cron.d/update-monkeysphere-auth | 1 | ||||
| -rw-r--r-- | lib/facter/monkeysphere.rb | 42 | ||||
| -rw-r--r-- | lib/puppet/provider/identify_certifier/monkeysphere.rb | 57 | ||||
| -rw-r--r-- | lib/puppet/type/identity_certifier.rb | 10 | ||||
| -rw-r--r-- | manifests/init.pp | 49 | ||||
| -rw-r--r-- | manifests/signer.pp | 5 | ||||
| -rw-r--r-- | manifests/sshserver.pp | 21 | ||||
| -rw-r--r-- | manifests/sshserverdanger.pp | 11 | ||||
| -rw-r--r-- | templates/host.erb | 3 |
11 files changed, 191 insertions, 24 deletions
@@ -1 +1,2 @@ *.swp +*~ @@ -1,6 +1,11 @@ The monkeysphere puppet module is designed to help you manage your servers and users using the monkeysphere[0]. +To install the monkeypshere module, storeconfigs should be enabled in +your puppet server to use certain features. See: + +http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration#Configuring+basic+storeconfigs + Example usage for server setup: # Assuming you are using the sshd puppet module... @@ -56,6 +61,14 @@ Example usage for user setup: monkeysphere::owner_trust { "jamie": fingerprint => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" } - + +A host can be configured as a host you would use to sign the gpg keys by placing: + + include monkeysphere::signer + +into the node definition. ON this host, a file will be placed in +/var/lib/puppet/modules/monkeysphere/hosts for each host configured as a +sshserver. Each file will contin the gpg id, the gpg fingerprint, and +the ssh fingerprint of the sshserver. 0. http://monkeysphere.info/ diff --git a/files/etc/cron.d/update-monkeysphere-auth b/files/etc/cron.d/update-monkeysphere-auth new file mode 100644 index 0000000..06bb5ae --- /dev/null +++ b/files/etc/cron.d/update-monkeysphere-auth @@ -0,0 +1 @@ +*/5 * * * * root /usr/sbin/monkeysphere-authentication update-users diff --git a/lib/facter/monkeysphere.rb b/lib/facter/monkeysphere.rb new file mode 100644 index 0000000..1d7d68e --- /dev/null +++ b/lib/facter/monkeysphere.rb @@ -0,0 +1,42 @@ +has_hostkey = false +pgp_fingerprint = ' ' +pgp_id = ' ' +ssh_fingerprint = ' ' + +if File.exist?('/usr/sbin/monkeysphere-host') + + sk = %x{/usr/sbin/monkeysphere-host show-keys} + if $? == 0 + has_hostkey = true + sk.lines.each do |line| + m = line.match('^OpenPGP fingerprint:(.*)$') + if m + pgp_fingerprint = m[1].strip + end + m = line.match('^uid (.*)$') + if m + pgp_id = m[1].strip + end + m = line.match('^ssh fingerprint:(.*)$') + if m + ssh_fingerprint = m[1].strip + end + end + end +end + +Facter.add("monkeysphere_has_hostkey") do + setcode{ has_hostkey } +end + +Facter.add("monkeysphere_pgp_fp") do + setcode{ pgp_fingerprint } +end + +Facter.add("monkeysphere_pgp_id") do + setcode{ pgp_id } +end + +Facter.add("monkeysphere_ssh_fp") do + setcode{ ssh_fingerprint } +end diff --git a/lib/puppet/provider/identify_certifier/monkeysphere.rb b/lib/puppet/provider/identify_certifier/monkeysphere.rb new file mode 100644 index 0000000..49ea6e6 --- /dev/null +++ b/lib/puppet/provider/identify_certifier/monkeysphere.rb @@ -0,0 +1,57 @@ +## + + +require 'puppet/provider/package' +require "open3" + +Puppet::Type.type(:identity_certifier).provide(:monkeysphere, + :parent => Puppet::Provider::Package) do + + commands :monkeysphereauth => "/usr/sbin/monkeysphere-authentication" + + desc "asdf" + + # retrieve the current set of mysql users + def self.instances + ids = [] + + cmd = "#{command(:monkeysphereauth)} list-id-certifiers" + execpipe(cmd) do |process| + process.each do |line| + m = line.match( "^[0-9A-Z]{32}([0-9A-Z]{8}):" ) + if m + ids << new( { :ensure => :present, :pgpid => m.group(1) } ) + end + end + end + return ids + end + + def create + Open3.popen3("monkeysphere-authentication add-id-certifier #{resource[:pgpid]}") do |i, o, e| + i.puts( "Y" ) + o.readlines() + end + end + + def destroy + Open3.popen3("monkeysphere-authentication remove-id-certifier #{resource[:pgpid]}") do |i, o, e| + i.puts( "Y" ) + o.readlines() + end + end + + def exists? + + cil = %x{/usr/sbin/monkeysphere-authentication list-id-certifiers} + if $? == 0 + cil.lines.each do |line| + m = line.match( '^[0-9A-Z]*' + resource[:pgpid] + ':' ) + if m + return true + end + end + end + return false + end +end diff --git a/lib/puppet/type/identity_certifier.rb b/lib/puppet/type/identity_certifier.rb new file mode 100644 index 0000000..cc8295f --- /dev/null +++ b/lib/puppet/type/identity_certifier.rb @@ -0,0 +1,10 @@ +Puppet::Type.newtype(:identity_certifier) do + @doc = "Manage monkeysphere identity-certifiers" + + ensurable + newparam(:pgpid) do + desc "The pgp id of the certifier" + isnamevar + end + +end diff --git a/manifests/init.pp b/manifests/init.pp index d5358b5..a58faec 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,18 +1,18 @@ # This module is distributed under the GNU Affero General Public License: -# +# # Monkeysphere module for puppet # Copyright (C) 2009-2010 Sarava Group -# +# # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or any later version. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. -# +# # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. @@ -20,9 +20,28 @@ # Class for monkeysphere management # -class monkeysphere inherits monkeysphere::defaults { +class monkeysphere( + $ssh_port = '', + $publish_key = false, + $ensure_version = 'installed', + $keyserver = 'pool.sks-keyservers.net' +) { # The needed packages - package { monkeysphere: ensure => installed, } + package{'monkeysphere': + ensure => $ensure_version, + } + + $key = "ssh://${::fqdn}${port}" + + common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } + # This was the old way which the module checked monkeysphere keys + file { "/usr/local/sbin/monkeysphere-check-key": + ensure => absent, + owner => root, + group => root, + mode => 0755, + content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false", + } file { "monkeysphere_conf": path => "/etc/monkeysphere/monkeysphere.conf", @@ -45,22 +64,6 @@ class monkeysphere inherits monkeysphere::defaults { content => template("monkeysphere/monkeysphere-authentication.conf.erb"), require => Package['monkeysphere'], } - - # This was the old way which the module checked monkeysphere keys - file { "/usr/local/sbin/monkeysphere-check-key": - ensure => absent, - owner => root, - group => root, - mode => 0755, - content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false", - } -} - -class monkeysphere::defaults { - $keyserver = $monkeysphere_keyserver ? { - '' => 'pool.sks-keyservers.net', - default => $monkeysphere_keyserver - } } define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { @@ -80,7 +83,7 @@ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ } } -# Server host key publication + # Server host key publication define monkeysphere::publish_server_keys ( $keyid = '--all' ) { exec { "monkeysphere-host publish-keys $keyid": environment => "MONKEYSPHERE_PROMPT=false", diff --git a/manifests/signer.pp b/manifests/signer.pp new file mode 100644 index 0000000..cfbe46d --- /dev/null +++ b/manifests/signer.pp @@ -0,0 +1,5 @@ +# collect all the host keys +class monkeysphere::signer { + include monkeysphere + File <<| tag == 'monkeysphere-host' |>> +} diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp new file mode 100644 index 0000000..43c0f6f --- /dev/null +++ b/manifests/sshserver.pp @@ -0,0 +1,21 @@ +# include to export your ssh key +class monkeysphere::sshserver { + include monkeysphere + if $::monkeysphere_has_hostkey { + @@file { "/var/lib/puppet/modules/monkeysphere/hosts/${::fqdn}": + ensure => present, + content => template('monkeysphere/host.erb'), + require => Package['monkeysphere'], + tag => 'monkeysphere-host', + } + } + + file{'/etc/cron.d/update-monkeysphere-auth': + ensure => present, + source => 'puppet:///modules/monkeysphere/etc/cron.d/update-monkeysphere-auth', + require => Package['monkeysphere'], + mode => '0644', + owner => root, + group => root, + } +} diff --git a/manifests/sshserverdanger.pp b/manifests/sshserverdanger.pp new file mode 100644 index 0000000..7ae6970 --- /dev/null +++ b/manifests/sshserverdanger.pp @@ -0,0 +1,11 @@ +# use this to authenticate with monkeysphere on ssh +# you should not manage the sshd config as a whole +# or at least put there the same key. +class monkeysphere::sshserverdanger { + include monkeysphere::sshserver + augeas{'sshd_config': + context => '/files/etc/ssh/sshd_config', + changes => [ 'set AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' ], + notify => Service['ssh'], + } +} diff --git a/templates/host.erb b/templates/host.erb new file mode 100644 index 0000000..6412663 --- /dev/null +++ b/templates/host.erb @@ -0,0 +1,3 @@ +uid <%= monkeysphere_pgp_id %> +host_key <%= monkeysphere_ssh_fp %> +fingerprint <%= monkeysphere_pgp_fp %> |