From 26dbee78df014daa94b40b00b11c20b2f46721d7 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Fri, 4 Mar 2011 15:20:05 -0500 Subject: updates to work with mfpl monkeysphere setup --- manifests/init.pp | 68 +++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 22 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index a4e60ad..d873237 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,7 +1,7 @@ # This module is distributed under the GNU Affero General Public License: # # Monkeysphere module for puppet -# Copyright (C) 2009 Sarava Group +# Copyright (C) 2009-2010 Sarava Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -23,29 +23,53 @@ class monkeysphere { # The needed packages package { monkeysphere: ensure => installed, } - $ssh_port = $monkeysphere_ssh_port ? { - '' => '', - default => ":$monkeysphere_ssh_port", +} + +class monkeysphere::import_key inherits monkeysphere { + $key = "ssh://${fqdn}" + # Server host key import + exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key": + user => "root", + unless => "/usr/sbin/monkeysphere-host s | grep $key" } +} - $key = "ssh://${fqdn}${ssh_port}" +# Server host key publication +class monkeysphere::publish_key inherits monkeysphere { + exec { "MONKEYSPHERE_PROMPT=false $keyserver_arg /usr/sbin/monkeysphere-host publish-key": + user => "root", + } +} - # Server host key publication - case $monkeysphere_publish_key { - false: { - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key": - unless => "/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null", - user => "root", - require => Package["monkeysphere"], - } - } - default: { - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key && \ - /usr/sbin/monkeysphere-host publish-key": - unless => "/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null", - user => "root", - require => Package["monkeysphere"], - } - } +# add certifiers +define monkeysphere::add_certifiers( $keyid ) { + exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + user => "root", + require => [ Package["monkeysphere"] ], + unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid" + } +} +define monkeysphere::root_authorized_user_ids( $file ) { + file { + "/root/.monkeysphere": + owner => "root", + group => "root", + mode => 755, + ensure => directory, + } + file { + "/root/.monkeysphere/authorized_user_ids": + owner => "root", + group => "root", + mode => 644, + source => "$file", + ensure => present, + recurse => true, + } + exec { "/usr/sbin/monkeysphere-authentication update-users root": + user => "root", + require => [ Package["monkeysphere"] ], + onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" } } -- cgit v1.2.3 From 53eb5fa507e0ddcf75f77a3b4be33d3419f44d2b Mon Sep 17 00:00:00 2001 From: Greg Lyle Date: Sun, 6 Mar 2011 18:19:08 -0500 Subject: Correct use of enviroment variable --- manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index d873237..c619863 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,7 +36,8 @@ class monkeysphere::import_key inherits monkeysphere { # Server host key publication class monkeysphere::publish_key inherits monkeysphere { - exec { "MONKEYSPHERE_PROMPT=false $keyserver_arg /usr/sbin/monkeysphere-host publish-key": + exec { "/usr/sbin/monkeysphere-host publish-key": + enviroment => "MONKEYSPHERE_PROMPT=false", user => "root", } } -- cgit v1.2.3 From 259144f19e851312cc7229a5ec6b8f2963fbb034 Mon Sep 17 00:00:00 2001 From: Greg Lyle Date: Sun, 6 Mar 2011 18:33:32 -0500 Subject: Correct typo --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index c619863..3217cb6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,7 +37,7 @@ class monkeysphere::import_key inherits monkeysphere { # Server host key publication class monkeysphere::publish_key inherits monkeysphere { exec { "/usr/sbin/monkeysphere-host publish-key": - enviroment => "MONKEYSPHERE_PROMPT=false", + environment => "MONKEYSPHERE_PROMPT=false", user => "root", } } -- cgit v1.2.3 From 6e2a4c72b6c9816be5d196e613a49ed303609e74 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Tue, 8 Mar 2011 09:43:43 -0500 Subject: easier to read with proper identation --- manifests/init.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 3217cb6..f49ab92 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -29,26 +29,26 @@ class monkeysphere::import_key inherits monkeysphere { $key = "ssh://${fqdn}" # Server host key import exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key": - user => "root", - unless => "/usr/sbin/monkeysphere-host s | grep $key" + user => "root", + unless => "/usr/sbin/monkeysphere-host s | grep $key" } } # Server host key publication class monkeysphere::publish_key inherits monkeysphere { exec { "/usr/sbin/monkeysphere-host publish-key": - environment => "MONKEYSPHERE_PROMPT=false", - user => "root", + environment => "MONKEYSPHERE_PROMPT=false", + user => "root", } } # add certifiers define monkeysphere::add_certifiers( $keyid ) { exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid": - environment => "MONKEYSPHERE_PROMPT=false", - user => "root", - require => [ Package["monkeysphere"] ], - unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid" + environment => "MONKEYSPHERE_PROMPT=false", + user => "root", + require => [ Package["monkeysphere"] ], + unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid" } } define monkeysphere::root_authorized_user_ids( $file ) { @@ -69,8 +69,8 @@ define monkeysphere::root_authorized_user_ids( $file ) { recurse => true, } exec { "/usr/sbin/monkeysphere-authentication update-users root": - user => "root", - require => [ Package["monkeysphere"] ], - onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" + user => "root", + require => [ Package["monkeysphere"] ], + onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" } } -- cgit v1.2.3 From 1c4c275c34c9c9a240918852d1668d3d6d5c1967 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Tue, 8 Mar 2011 10:10:51 -0500 Subject: admins may not want to publish keys for some hosts --- manifests/init.pp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f49ab92..d9dc98e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,9 +36,17 @@ class monkeysphere::import_key inherits monkeysphere { # Server host key publication class monkeysphere::publish_key inherits monkeysphere { - exec { "/usr/sbin/monkeysphere-host publish-key": - environment => "MONKEYSPHERE_PROMPT=false", - user => "root", + $no_publish = $monkeysphere_no_publish ? { + '' => '', + default => $monkeysphere_no_publish + } + if $fqdn in $no_publish { + info("Not publishing $fqdn monkeysphere key") + } else { + exec { "/usr/sbin/monkeysphere-host publish-key": + environment => "MONKEYSPHERE_PROMPT=false", + user => "root", + } } } -- cgit v1.2.3 From 4a7c7d07e332acac54d61446701322253bc770da Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Tue, 8 Mar 2011 10:16:00 -0500 Subject: helpful directions --- README | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 README diff --git a/README b/README new file mode 100644 index 0000000..cc44499 --- /dev/null +++ b/README @@ -0,0 +1,31 @@ +The monkeysphere puppet module is designed to help you manage your servers +using the monkeysphere[0]. + +Example usage: + + # assuming you are using the sshd puppet module... + $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u" + include sshd + + # import the generated ssh key into the server's gpg ring + include monkeysphere::import_key + + # add host names to the array below if you do not want them published to the + # web of trust + $monkeysphere_no_publish = [ "animal.mayfirst.org", "test.mayfirst.org" ] + include monkeysphere::publish_key + + # add the fingerprints of the gpgids that should be certifiers + monkeysphere::add_certifiers { dkg: + keyid => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" + } + monkeysphere::add_certifiers { jamie: + keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935" + } + + # add a authorized_user_ids file for the root user + monkeysphere::root_authorized_user_ids { main: + file => "puppet:///files/monkeysphere/root/authorized_user_ids" + } + +0. http://monkeysphere.info/ -- cgit v1.2.3 From 9a4c41ca7a1312af74a8ee9f1c7f07e22352f7d3 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Sat, 19 Mar 2011 01:17:01 -0400 Subject: adding ability to specify a key server. --- manifests/init.pp | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index d9dc98e..2d4bd61 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,10 +25,18 @@ class monkeysphere { } +class monkeysphere::defaults inherits monkeysphere { + $keyserver = $monkeysphere_keyserver ? { + '' => "pool.sks-keyservers.net", + default => $monkeysphere_keyserver, + } +} + class monkeysphere::import_key inherits monkeysphere { $key = "ssh://${fqdn}" # Server host key import exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key": + alias => "monkeysphere-import-key", user => "root", unless => "/usr/sbin/monkeysphere-host s | grep $key" } @@ -36,6 +44,7 @@ class monkeysphere::import_key inherits monkeysphere { # Server host key publication class monkeysphere::publish_key inherits monkeysphere { + include monkeysphere::defaults $no_publish = $monkeysphere_no_publish ? { '' => '', default => $monkeysphere_no_publish @@ -44,7 +53,7 @@ class monkeysphere::publish_key inherits monkeysphere { info("Not publishing $fqdn monkeysphere key") } else { exec { "/usr/sbin/monkeysphere-host publish-key": - environment => "MONKEYSPHERE_PROMPT=false", + environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ], user => "root", } } @@ -52,10 +61,11 @@ class monkeysphere::publish_key inherits monkeysphere { # add certifiers define monkeysphere::add_certifiers( $keyid ) { + include monkeysphere::defaults exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid": - environment => "MONKEYSPHERE_PROMPT=false", + environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ], user => "root", - require => [ Package["monkeysphere"] ], + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid" } } @@ -77,6 +87,7 @@ define monkeysphere::root_authorized_user_ids( $file ) { recurse => true, } exec { "/usr/sbin/monkeysphere-authentication update-users root": + environment => "MONKEYSPHERE_KEYSERVER=$keyserver", user => "root", require => [ Package["monkeysphere"] ], onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" -- cgit v1.2.3 From 780ea534acbd062353f61dd0c123c3afde9a3f97 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Sat, 19 Mar 2011 10:34:04 -0400 Subject: refactored to be more flexible for different setups. Also, defines are for actions to be taken multiple times on a single server, which includes most monkeyshere configuration steps. --- manifests/init.pp | 104 +++++++++++++++---------- templates/monkeysphere-authentication.conf.erb | 34 ++++++++ templates/monkeysphere-host.conf.erb | 15 ++++ templates/monkeysphere.conf.erb | 39 ++++++++++ 4 files changed, 152 insertions(+), 40 deletions(-) create mode 100644 templates/monkeysphere-authentication.conf.erb create mode 100644 templates/monkeysphere-host.conf.erb create mode 100644 templates/monkeysphere.conf.erb diff --git a/manifests/init.pp b/manifests/init.pp index 2d4bd61..407313b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,77 +19,101 @@ # # Class for monkeysphere management # + class monkeysphere { # The needed packages package { monkeysphere: ensure => installed, } + include monkeysphere::defaults + file { + "/etc/monkeysphere/monkeysphere.conf": + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere.conf.erb"), + } + file { + "/etc/monkeysphere/monkeysphere-host.conf": + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere-host.conf.erb"), + } + file { + "/etc/monkeysphere/monkeysphere-authentication.conf": + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere-authentication.conf.erb"), + } } -class monkeysphere::defaults inherits monkeysphere { +class monkeysphere::defaults { $keyserver = $monkeysphere_keyserver ? { - '' => "pool.sks-keyservers.net", - default => $monkeysphere_keyserver, + '' => 'pool.sks-keyservers.net', + default => $monkeysphere_keyserver } } -class monkeysphere::import_key inherits monkeysphere { - $key = "ssh://${fqdn}" - # Server host key import - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key $key": +define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { + + # if we're getting a port number, prefix with a colon so it's valid + $port = $port ? { + '' => '', + default => ":$port" + } + + $key = "${schema}://${fqdn}${port}" + + exec { "monkeysphere-host import-key $path $key": alias => "monkeysphere-import-key", - user => "root", - unless => "/usr/sbin/monkeysphere-host s | grep $key" + require => [ Package["monkeysphere"] ], + unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" } } # Server host key publication -class monkeysphere::publish_key inherits monkeysphere { - include monkeysphere::defaults - $no_publish = $monkeysphere_no_publish ? { - '' => '', - default => $monkeysphere_no_publish +define monkeysphere::publish_keys ( $keyid = '--all' ) { + exec { "monkeysphere-host publish-keys $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], } - if $fqdn in $no_publish { - info("Not publishing $fqdn monkeysphere key") - } else { - exec { "/usr/sbin/monkeysphere-host publish-key": - environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ], - user => "root", - } +} + +# optionally, mail key somehwere +define monkeysphere::email_keys ( $email = 'root' ) { + exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], } } # add certifiers -define monkeysphere::add_certifiers( $keyid ) { - include monkeysphere::defaults - exec { "/usr/sbin/monkeysphere-authentication add-id-certifier $keyid": - environment => [ "MONKEYSPHERE_PROMPT=false", "MONKEYSPHERE_KEYSERVER=$keyserver" ], - user => "root", - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], - unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid" +define monkeysphere::add_id_certifier( $keyid ) { + exec { "monkeysphere-authentication add-id-certifier $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"] ], + unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" } } -define monkeysphere::root_authorized_user_ids( $file ) { + +define monkeysphere::authorized_user_ids( $source, $user = 'root', $group = $user, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids') { file { - "/root/.monkeysphere": - owner => "root", - group => "root", + $dest_dir: + owner => $user, + group => $group, mode => 755, ensure => directory, } file { - "/root/.monkeysphere/authorized_user_ids": - owner => "root", - group => "root", + "${dest_dir}/${dest_file}": + owner => $user, + group => $group, mode => 644, - source => "$file", + source => $source, ensure => present, recurse => true, } - exec { "/usr/sbin/monkeysphere-authentication update-users root": - environment => "MONKEYSPHERE_KEYSERVER=$keyserver", - user => "root", + + exec { "monkeysphere-authentication update-users $user": require => [ Package["monkeysphere"] ], - onlyif => "/usr/bin/test /root/.monkeysphere/authorized_user_ids -nt /var/lib/monkeysphere/authorized_keys/root" + refreshonly => true, + subscribe => File["${dest_dir}/${dest_file}"] } } diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb new file mode 100644 index 0000000..1b13cfd --- /dev/null +++ b/templates/monkeysphere-authentication.conf.erb @@ -0,0 +1,34 @@ +# Monkeysphere authentication configuration file. + +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignments by a single '=' and no spaces. +# Environment variables with the same names as these variables but +# prefaced by "MONKEYSPHERE_" will take precedence over the values +# specified here. + +# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +# increasing order of verbosity. +#LOG_LEVEL=INFO + +# OpenPGP keyserver +#KEYSERVER=pool.sks-keyservers.net +<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %> +# User who controls the monkeysphere 'sphere' keyring. +#MONKEYSPHERE_USER=monkeysphere + +# Whether or not to query keyservers by default +#CHECK_KEYSERVER=true + +# Path to authorized_user_ids file to process to create +# authorized_keys file. '%h' will be replaced by the home directory +# of the user, and '%u' will be replaced by the username of the user. +# For purely admin-controlled authorized_user_ids, you might put them +# in /etc/monkeysphere/authorized_user_ids/%u, for instance. +#AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" +# +# Path to a user controlled authorized_keys file to be added to the +# monkeysphere-generated authorized_keys file. '%h' will be replaced +# by the home directory of the user, and '%u' will by replaced by the +# username of the user. Setting this variable to 'none' prevents the +# inclusion of user controlled authorized_keys file. +#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" diff --git a/templates/monkeysphere-host.conf.erb b/templates/monkeysphere-host.conf.erb new file mode 100644 index 0000000..418c696 --- /dev/null +++ b/templates/monkeysphere-host.conf.erb @@ -0,0 +1,15 @@ +# Monkeysphere host configuration file. + +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignments by a single '=' and no spaces. +# Environment variables with the same names as these variables but +# prefaced by "MONKEYSPHERE_" will take precedence over the values +# specified here. + +# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +# increasing order of verbosity. +#LOG_LEVEL=INFO + +# OpenPGP keyserver +#KEYSERVER=pool.sks-keyservers.net +<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %> diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb new file mode 100644 index 0000000..53e4b9e --- /dev/null +++ b/templates/monkeysphere.conf.erb @@ -0,0 +1,39 @@ +# Monkeysphere system-wide client configuration file. + +# This is an sh-style shell configuration file. Variable names should +# be separated from their assignments by a single '=' and no spaces. +# Environment variables with the same names as these variables but +# prefaced by "MONKEYSPHERE_" will take precedence over the values +# specified here. + +# Log level. Can be SILENT, ERROR, INFO, VERBOSE, DEBUG, in +# increasing order of verbosity. +#LOG_LEVEL=INFO + +# GPG home directory. If not specified either here or in the +# MONKEYSPHERE_GNUPGHOME environment variable, then the value of the +# GNUPGHOME environment variable will be used. If GNUPGHOME is not +# set either, then the default value is listed below. +#GNUPGHOME=~/.gnupg + +# GPG keyserver to search for keys. +#KEYSERVER=pool.sks-keyservers.net +<%= 'KEYSERVER='+keyserver if keyserver and keyserver != 'pool.sks-keyservers.net' %> +# Set whether or not to check keyservers at every monkeysphere +# interaction, including all ssh connections if you use the +# monkeysphere ssh-proxycommand. Leave unset for default behavior +# (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false. +# NOTE: setting CHECK_KEYSERVER explicitly to true will leak +# information about the timing and frequency of your ssh connections +# to the maintainer of the keyserver. +#CHECK_KEYSERVER=true + +# The path to the SSH known_hosts file. +#KNOWN_HOSTS=~/.ssh/known_hosts + +# Whether or not to hash the generated known_hosts lines. +# Should be "true" or "false". +#HASH_KNOWN_HOSTS=false + +# The path to the SSH authorized_keys file. +#AUTHORIZED_KEYS=~/.ssh/authorized_keys -- cgit v1.2.3 From 6356f78198821c2e363b65a55c987929eeee178a Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Sat, 19 Mar 2011 11:31:59 -0400 Subject: redefining a var generates an error. --- manifests/init.pp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 407313b..7ecf5a1 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,11 +20,10 @@ # Class for monkeysphere management # -class monkeysphere { +class monkeysphere inherits monkeysphere::defaults { # The needed packages package { monkeysphere: ensure => installed, } - include monkeysphere::defaults file { "/etc/monkeysphere/monkeysphere.conf": mode => 644, @@ -55,12 +54,12 @@ class monkeysphere::defaults { define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { # if we're getting a port number, prefix with a colon so it's valid - $port = $port ? { + $prefixed_port = $port ? { '' => '', default => ":$port" } - $key = "${schema}://${fqdn}${port}" + $key = "${schema}://${fqdn}${prefixed_port}" exec { "monkeysphere-host import-key $path $key": alias => "monkeysphere-import-key", -- cgit v1.2.3 From 6daf83e2b81d4a33bb1739c9f4b6c9882e6e1ea2 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Sat, 19 Mar 2011 23:27:16 -0400 Subject: ensure config files are in place before executing monkeysphere commands --- manifests/init.pp | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7ecf5a1..c25e1f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -24,20 +24,20 @@ class monkeysphere inherits monkeysphere::defaults { # The needed packages package { monkeysphere: ensure => installed, } - file { - "/etc/monkeysphere/monkeysphere.conf": + file { "monkeysphere_conf": + path => "/etc/monkeysphere/monkeysphere.conf", mode => 644, ensure => present, content => template("monkeysphere/monkeysphere.conf.erb"), } - file { - "/etc/monkeysphere/monkeysphere-host.conf": + file { "monkeysphere_host_conf": + path => "/etc/monkeysphere/monkeysphere-host.conf", mode => 644, ensure => present, content => template("monkeysphere/monkeysphere-host.conf.erb"), } - file { - "/etc/monkeysphere/monkeysphere-authentication.conf": + file { "monkeysphere_authentication_conf": + path => "/etc/monkeysphere/monkeysphere-authentication.conf", mode => 644, ensure => present, content => template("monkeysphere/monkeysphere-authentication.conf.erb"), @@ -59,11 +59,11 @@ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ default => ":$port" } - $key = "${schema}://${fqdn}${prefixed_port}" + $key = "${scheme}${fqdn}${prefixed_port}" exec { "monkeysphere-host import-key $path $key": alias => "monkeysphere-import-key", - require => [ Package["monkeysphere"] ], + require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" } } @@ -72,7 +72,7 @@ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ define monkeysphere::publish_keys ( $keyid = '--all' ) { exec { "monkeysphere-host publish-keys $keyid": environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], } } @@ -87,23 +87,29 @@ define monkeysphere::email_keys ( $email = 'root' ) { define monkeysphere::add_id_certifier( $keyid ) { exec { "monkeysphere-authentication add-id-certifier $keyid": environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"] ], + require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ], unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" } } -define monkeysphere::authorized_user_ids( $source, $user = 'root', $group = $user, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids') { +define monkeysphere::authorized_user_ids( $source, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids', $group = '') { + $user = $title + $calculated_group = $group ? { + '' => $user, + default => $group + } + file { $dest_dir: owner => $user, - group => $group, + group => $calculated_group, mode => 755, ensure => directory, } file { "${dest_dir}/${dest_file}": owner => $user, - group => $group, + group => $calculated_group, mode => 644, source => $source, ensure => present, @@ -111,8 +117,8 @@ define monkeysphere::authorized_user_ids( $source, $user = 'root', $group = $use } exec { "monkeysphere-authentication update-users $user": - require => [ Package["monkeysphere"] ], refreshonly => true, + require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ], subscribe => File["${dest_dir}/${dest_file}"] } } -- cgit v1.2.3 From e5ca936850b4a7cbcbbb003a1795d23c05760e17 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Sat, 19 Mar 2011 23:39:53 -0400 Subject: default file location does not have a period --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index c25e1f7..0487bb7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -92,7 +92,7 @@ define monkeysphere::add_id_certifier( $keyid ) { } } -define monkeysphere::authorized_user_ids( $source, $dest_dir = '/root/.monkeysphere', $dest_file = '.authorized_user_ids', $group = '') { +define monkeysphere::authorized_user_ids( $source, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { $user = $title $calculated_group = $group ? { '' => $user, -- cgit v1.2.3 From e249ba513bc97b06f7808373294c249aa14bbda1 Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Tue, 29 Mar 2011 22:08:13 -0400 Subject: adding ability for monkeysphere user setup --- README | 66 +++++++++++++++------ manifests/init.pp | 119 ++++++++++++++++++++++++++++++++++---- templates/authorized_user_ids.erb | 6 ++ 3 files changed, 163 insertions(+), 28 deletions(-) create mode 100644 templates/authorized_user_ids.erb diff --git a/README b/README index cc44499..a1d3595 100644 --- a/README +++ b/README @@ -1,31 +1,61 @@ The monkeysphere puppet module is designed to help you manage your servers -using the monkeysphere[0]. +and users using the monkeysphere[0]. -Example usage: +Example usage for server setup: - # assuming you are using the sshd puppet module... + # Assuming you are using the sshd puppet module... $sshd_authorized_keys_file = "/var/lib/monkeysphere/authorized_keys/%u" include sshd - # import the generated ssh key into the server's gpg ring - include monkeysphere::import_key + # Optionally, indicate your preferred keyserver. You can specify a server + # under your control and not accessible to the public or + # pool.sks-keyservers.net if you want to publish to the public pool. The + # value you specify here will be used for all monkeysphere and gpg commands + $monkeysphere_keyserver = "zimmermann.mayfirst.org" + include monkeysphere - # add host names to the array below if you do not want them published to the - # web of trust - $monkeysphere_no_publish = [ "animal.mayfirst.org", "test.mayfirst.org" ] - include monkeysphere::publish_key + # Ensure the server's ssh key is imported into your monkeysphere key ring + monkeysphere::import_key { "main": } - # add the fingerprints of the gpgids that should be certifiers - monkeysphere::add_certifiers { dkg: - keyid => "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" - } - monkeysphere::add_certifiers { jamie: + # Optionally publish the server key to a keyserver (as indicated above) + monkeysphere::publish_server_keys { "main": } + + # Optionally email the server key to your self + monkeysphere::email_server_keys { "we@ourdomain.org": } + + # Be sure to sign the server's key! + + # Indiciate the fingerprint of the gpg key that should be used + # to verify user ids. You can repeat this for as many certifiers + # as you need + monkeysphere::add_id_certifier { "jamie": keyid => "1CB57C59F2F42470238F53ABBB0B7EE15F2E4935" } - - # add a authorized_user_ids file for the root user - monkeysphere::root_authorized_user_ids { main: - file => "puppet:///files/monkeysphere/root/authorized_user_ids" + + # Indicate who should have root access on the server + monkeysphere::authorized_user_ids { "root": + user_ids => [ "sarah " , "jose "0EE5BE979282D80B9F7540F1CCD2ED94D21739E9" + } + + 0. http://monkeysphere.info/ diff --git a/manifests/init.pp b/manifests/init.pp index 0487bb7..64331e8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -69,7 +69,7 @@ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ } # Server host key publication -define monkeysphere::publish_keys ( $keyid = '--all' ) { +define monkeysphere::publish_server_keys ( $keyid = '--all' ) { exec { "monkeysphere-host publish-keys $keyid": environment => "MONKEYSPHERE_PROMPT=false", require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], @@ -77,7 +77,8 @@ define monkeysphere::publish_keys ( $keyid = '--all' ) { } # optionally, mail key somehwere -define monkeysphere::email_keys ( $email = 'root' ) { +define monkeysphere::email_server_keys ( ) { + $email = $title exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], } @@ -92,28 +93,46 @@ define monkeysphere::add_id_certifier( $keyid ) { } } -define monkeysphere::authorized_user_ids( $source, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { +define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { $user = $title $calculated_group = $group ? { '' => $user, default => $group } - file { - $dest_dir: - owner => $user, - group => $calculated_group, - mode => 755, - ensure => directory, + # don't require user if it's root because root is not handled + # by puppet + case $user { + root: { + file { + $dest_dir: + owner => $user, + group => $calculated_group, + mode => 755, + ensure => directory, + } + } + default: { + file { + $dest_dir: + owner => $user, + group => $calculated_group, + mode => 755, + ensure => directory, + require => $require_user + } + } } + file { "${dest_dir}/${dest_file}": owner => $user, group => $calculated_group, mode => 644, - source => $source, + content => template('monkeysphere/authorized_user_ids.erb'), ensure => present, recurse => true, + require => File[$dest_dir] } exec { "monkeysphere-authentication update-users $user": @@ -122,3 +141,83 @@ define monkeysphere::authorized_user_ids( $source, $dest_dir = '/root/.monkeysp subscribe => File["${dest_dir}/${dest_file}"] } } + +# ensure that the user has a gpg key created and it is authentication capable +# in the monkeysphere. This is intended to be the same as generated a +# password-less ssh key +# +define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", + $uid_name = undef, $email = undef ) { + + $user = $title + + # The goal is no passphrase, monkeysphere won't work without a passphrase. + $calculated_passphrase = $gpg_auto_password ? { + '' => 'monkeys', + default => $gpg_auto_password + } + + $calculated_name = $uid_name ? { + '' => "$user user", + default => $uid_name + } + $calculated_email = $email ? { + '' => "$user@$fqdn", + default => $email + } + exec { "monkeysphere-gen-key-$user": + command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-secret-key | grep ^sec >/dev/null" + } + + #FIXME - we should check expiration date and extend it if we're < n days before expiration + + # handle auth subkey + exec { "monkeysphere-gen-subkey-$user": + command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null" + } + +} + +define monkeysphere::publish_user_key ( ){ + $user = $title + + $keyserver_arg = $monkeysphere_keyserver ? { + '' => '', + default => "--keyserver $monkeysphere_keyserver" + } + + exec { "monkeysphere-gpg-send-key-$user": + command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + } + +} + +define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) { + $keyserver_arg = $monkeysphere_keyserver ? { + '' => '', + default => "--keyserver $monkeysphere_keyserver" + } + + # ensure the key is in the key ring + exec { "monkeysphere-gpg-recv-key-$user-$fingerprint": + command => "gpg $keyserver_arg --recv-key $fingerprint", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-key $fingerprint 2>&1 >/dev/null" + } + # provide ownertrust + exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint": + command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null" + } +} diff --git a/templates/authorized_user_ids.erb b/templates/authorized_user_ids.erb new file mode 100644 index 0000000..9313c6b --- /dev/null +++ b/templates/authorized_user_ids.erb @@ -0,0 +1,6 @@ +# This file is maintained by puppet, changes will be overwritten +<% if user_ids.is_a? String -%> +<%= user_ids %> +<% elsif user_ids.is_a? Array -%> +<%= user_ids.map { |i| "#{i}" }.join("\n") %> +<% end -%> -- cgit v1.2.3 From 7a21cb925707f04609da9e28fef13873a07e7e3a Mon Sep 17 00:00:00 2001 From: Jamie McClelland Date: Wed, 30 Mar 2011 11:19:22 -0400 Subject: $required_user variable was left over cruft --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 64331e8..640bc67 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -119,7 +119,7 @@ define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkey group => $calculated_group, mode => 755, ensure => directory, - require => $require_user + require => User[$user] } } } -- cgit v1.2.3 -- cgit v1.2.3 From d04da28d35b4e33e993ad32b5d6eab1ed6658e76 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 14 Jul 2011 11:23:52 -0300 Subject: Subscribing monkeysphere::email_server_keys to monkeysphere-import-key exec --- manifests/init.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 64e2645..d44a218 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -89,7 +89,9 @@ define monkeysphere::publish_server_keys ( $keyid = '--all' ) { define monkeysphere::email_server_keys ( ) { $email = $title exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ], + require => Package["monkeysphere"], + subscribe => Exec["monkeysphere-import-key"], + refreshonly => true, } } -- cgit v1.2.3 From 71d9ff0ef0ace9941a19858acb807f89dfe44946 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 17 Aug 2011 12:57:58 -0300 Subject: Adding missing requirements --- manifests/init.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index d44a218..d5358b5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -29,18 +29,21 @@ class monkeysphere inherits monkeysphere::defaults { mode => 644, ensure => present, content => template("monkeysphere/monkeysphere.conf.erb"), + require => Package['monkeysphere'], } file { "monkeysphere_host_conf": path => "/etc/monkeysphere/monkeysphere-host.conf", mode => 644, ensure => present, content => template("monkeysphere/monkeysphere-host.conf.erb"), + require => Package['monkeysphere'], } file { "monkeysphere_authentication_conf": path => "/etc/monkeysphere/monkeysphere-authentication.conf", mode => 644, ensure => present, content => template("monkeysphere/monkeysphere-authentication.conf.erb"), + require => Package['monkeysphere'], } # This was the old way which the module checked monkeysphere keys -- cgit v1.2.3 From 7218eb738f4d4cbcade57cdf72c7cd6c878cd60e Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 16 Oct 2013 15:06:00 -0400 Subject: split into separate file according to autoloading rules --- manifests/add_id_certifier.pp | 8 ++ manifests/auth_capable_user.pp | 41 ++++++++++ manifests/authorized_user_ids.pp | 48 +++++++++++ manifests/email_server_keys.pp | 9 ++ manifests/import_key.pp | 16 ++++ manifests/init.pp | 173 --------------------------------------- manifests/owner_trust.pp | 21 +++++ manifests/publish_server_keys.pp | 7 ++ manifests/publish_user_key.pp | 15 ++++ 9 files changed, 165 insertions(+), 173 deletions(-) create mode 100644 manifests/add_id_certifier.pp create mode 100644 manifests/auth_capable_user.pp create mode 100644 manifests/authorized_user_ids.pp create mode 100644 manifests/email_server_keys.pp create mode 100644 manifests/import_key.pp create mode 100644 manifests/owner_trust.pp create mode 100644 manifests/publish_server_keys.pp create mode 100644 manifests/publish_user_key.pp diff --git a/manifests/add_id_certifier.pp b/manifests/add_id_certifier.pp new file mode 100644 index 0000000..726551e --- /dev/null +++ b/manifests/add_id_certifier.pp @@ -0,0 +1,8 @@ +# add certifiers +define monkeysphere::add_id_certifier( $keyid ) { + exec { "monkeysphere-authentication add-id-certifier $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ], + unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" + } +} diff --git a/manifests/auth_capable_user.pp b/manifests/auth_capable_user.pp new file mode 100644 index 0000000..bab81f1 --- /dev/null +++ b/manifests/auth_capable_user.pp @@ -0,0 +1,41 @@ +# ensure that the user has a gpg key created and it is authentication capable +# in the monkeysphere. This is intended to be the same as generated a +# password-less ssh key +# +define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", + $uid_name = undef, $email = undef ) { + + $user = $title + + # The goal is no passphrase, monkeysphere won't work without a passphrase. + $calculated_passphrase = $gpg_auto_password ? { + '' => 'monkeys', + default => $gpg_auto_password + } + + $calculated_name = $uid_name ? { + '' => "$user user", + default => $uid_name + } + $calculated_email = $email ? { + '' => "$user@$fqdn", + default => $email + } + exec { "monkeysphere-gen-key-$user": + command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-secret-key | grep ^sec >/dev/null" + } + + #FIXME - we should check expiration date and extend it if we're < n days before expiration + + # handle auth subkey + exec { "monkeysphere-gen-subkey-$user": + command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null" + } + +} diff --git a/manifests/authorized_user_ids.pp b/manifests/authorized_user_ids.pp new file mode 100644 index 0000000..d400890 --- /dev/null +++ b/manifests/authorized_user_ids.pp @@ -0,0 +1,48 @@ +define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { + $user = $title + $calculated_group = $group ? { + '' => $user, + default => $group + } + + # don't require user if it's root because root is not handled + # by puppet + case $user { + root: { + file { + $dest_dir: + owner => $user, + group => $calculated_group, + mode => 755, + ensure => directory, + } + } + default: { + file { + $dest_dir: + owner => $user, + group => $calculated_group, + mode => 755, + ensure => directory, + require => User[$user] + } + } + } + + file { + "${dest_dir}/${dest_file}": + owner => $user, + group => $calculated_group, + mode => 644, + content => template('monkeysphere/authorized_user_ids.erb'), + ensure => present, + recurse => true, + require => File[$dest_dir] + } + + exec { "monkeysphere-authentication update-users $user": + refreshonly => true, + require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ], + subscribe => File["${dest_dir}/${dest_file}"] + } +} diff --git a/manifests/email_server_keys.pp b/manifests/email_server_keys.pp new file mode 100644 index 0000000..0a0bd4b --- /dev/null +++ b/manifests/email_server_keys.pp @@ -0,0 +1,9 @@ +# optionally, mail key somehwere +define monkeysphere::email_server_keys ( ) { + $email = $title + exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": + require => Package["monkeysphere"], + subscribe => Exec["monkeysphere-import-key"], + refreshonly => true, + } +} diff --git a/manifests/import_key.pp b/manifests/import_key.pp new file mode 100644 index 0000000..ec00fee --- /dev/null +++ b/manifests/import_key.pp @@ -0,0 +1,16 @@ +define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { + + # if we're getting a port number, prefix with a colon so it's valid + $prefixed_port = $port ? { + '' => '', + default => ":$port" + } + + $key = "${scheme}${fqdn}${prefixed_port}" + + exec { "monkeysphere-host import-key $path $key": + alias => "monkeysphere-import-key", + require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], + unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" + } +} diff --git a/manifests/init.pp b/manifests/init.pp index a58faec..4d48ed3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -65,176 +65,3 @@ class monkeysphere( require => Package['monkeysphere'], } } - -define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { - - # if we're getting a port number, prefix with a colon so it's valid - $prefixed_port = $port ? { - '' => '', - default => ":$port" - } - - $key = "${scheme}${fqdn}${prefixed_port}" - - exec { "monkeysphere-host import-key $path $key": - alias => "monkeysphere-import-key", - require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], - unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" - } -} - - # Server host key publication -define monkeysphere::publish_server_keys ( $keyid = '--all' ) { - exec { "monkeysphere-host publish-keys $keyid": - environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], - } -} - -# optionally, mail key somehwere -define monkeysphere::email_server_keys ( ) { - $email = $title - exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": - require => Package["monkeysphere"], - subscribe => Exec["monkeysphere-import-key"], - refreshonly => true, - } -} - -# add certifiers -define monkeysphere::add_id_certifier( $keyid ) { - exec { "monkeysphere-authentication add-id-certifier $keyid": - environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ], - unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" - } -} - -define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { - $user = $title - $calculated_group = $group ? { - '' => $user, - default => $group - } - - # don't require user if it's root because root is not handled - # by puppet - case $user { - root: { - file { - $dest_dir: - owner => $user, - group => $calculated_group, - mode => 755, - ensure => directory, - } - } - default: { - file { - $dest_dir: - owner => $user, - group => $calculated_group, - mode => 755, - ensure => directory, - require => User[$user] - } - } - } - - file { - "${dest_dir}/${dest_file}": - owner => $user, - group => $calculated_group, - mode => 644, - content => template('monkeysphere/authorized_user_ids.erb'), - ensure => present, - recurse => true, - require => File[$dest_dir] - } - - exec { "monkeysphere-authentication update-users $user": - refreshonly => true, - require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ], - subscribe => File["${dest_dir}/${dest_file}"] - } -} - -# ensure that the user has a gpg key created and it is authentication capable -# in the monkeysphere. This is intended to be the same as generated a -# password-less ssh key -# -define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", - $uid_name = undef, $email = undef ) { - - $user = $title - - # The goal is no passphrase, monkeysphere won't work without a passphrase. - $calculated_passphrase = $gpg_auto_password ? { - '' => 'monkeys', - default => $gpg_auto_password - } - - $calculated_name = $uid_name ? { - '' => "$user user", - default => $uid_name - } - $calculated_email = $email ? { - '' => "$user@$fqdn", - default => $email - } - exec { "monkeysphere-gen-key-$user": - command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key", - require => [ Package["monkeysphere"] ], - user => $user, - unless => "gpg --list-secret-key | grep ^sec >/dev/null" - } - - #FIXME - we should check expiration date and extend it if we're < n days before expiration - - # handle auth subkey - exec { "monkeysphere-gen-subkey-$user": - command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey", - require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], - user => $user, - unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null" - } - -} - -define monkeysphere::publish_user_key ( ){ - $user = $title - - $keyserver_arg = $monkeysphere_keyserver ? { - '' => '', - default => "--keyserver $monkeysphere_keyserver" - } - - exec { "monkeysphere-gpg-send-key-$user": - command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)", - require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], - user => $user, - } - -} - -define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) { - $keyserver_arg = $monkeysphere_keyserver ? { - '' => '', - default => "--keyserver $monkeysphere_keyserver" - } - - # ensure the key is in the key ring - exec { "monkeysphere-gpg-recv-key-$user-$fingerprint": - command => "gpg $keyserver_arg --recv-key $fingerprint", - require => [ Package["monkeysphere"] ], - user => $user, - unless => "gpg --list-key $fingerprint 2>&1 >/dev/null" - } - # provide ownertrust - exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint": - command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust", - require => [ Package["monkeysphere"] ], - user => $user, - unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null" - } -} diff --git a/manifests/owner_trust.pp b/manifests/owner_trust.pp new file mode 100644 index 0000000..765a1f8 --- /dev/null +++ b/manifests/owner_trust.pp @@ -0,0 +1,21 @@ +define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) { + $keyserver_arg = $monkeysphere_keyserver ? { + '' => '', + default => "--keyserver $monkeysphere_keyserver" + } + + # ensure the key is in the key ring + exec { "monkeysphere-gpg-recv-key-$user-$fingerprint": + command => "gpg $keyserver_arg --recv-key $fingerprint", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-key $fingerprint 2>&1 >/dev/null" + } + # provide ownertrust + exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint": + command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null" + } +} diff --git a/manifests/publish_server_keys.pp b/manifests/publish_server_keys.pp new file mode 100644 index 0000000..81e32aa --- /dev/null +++ b/manifests/publish_server_keys.pp @@ -0,0 +1,7 @@ +# Server host key publication +define monkeysphere::publish_server_keys ( $keyid = '--all' ) { + exec { "monkeysphere-host publish-keys $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], + } +} diff --git a/manifests/publish_user_key.pp b/manifests/publish_user_key.pp new file mode 100644 index 0000000..f76c408 --- /dev/null +++ b/manifests/publish_user_key.pp @@ -0,0 +1,15 @@ +define monkeysphere::publish_user_key ( ){ + $user = $title + + $keyserver_arg = $monkeysphere_keyserver ? { + '' => '', + default => "--keyserver $monkeysphere_keyserver" + } + + exec { "monkeysphere-gpg-send-key-$user": + command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + } + +} -- cgit v1.2.3 From dc884e878793fccf3439ce58c68ad104943ad061 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 16 Oct 2013 15:17:19 -0400 Subject: style fixes --- manifests/auth_capable_user.pp | 7 +++-- manifests/authorized_user_ids.pp | 7 ++++- manifests/import_key.pp | 10 ++++--- manifests/init.pp | 56 +++++++++++++++++++--------------------- manifests/owner_trust.pp | 6 ++++- manifests/publish_server_keys.pp | 2 +- 6 files changed, 51 insertions(+), 37 deletions(-) diff --git a/manifests/auth_capable_user.pp b/manifests/auth_capable_user.pp index bab81f1..497407c 100644 --- a/manifests/auth_capable_user.pp +++ b/manifests/auth_capable_user.pp @@ -2,8 +2,11 @@ # in the monkeysphere. This is intended to be the same as generated a # password-less ssh key # -define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", - $uid_name = undef, $email = undef ) { +define monkeysphere::auth_capable_user ( + $expire = "1y", + $length = "2048", + $uid_name = undef, + $email = undef ) { $user = $title diff --git a/manifests/authorized_user_ids.pp b/manifests/authorized_user_ids.pp index d400890..09fd182 100644 --- a/manifests/authorized_user_ids.pp +++ b/manifests/authorized_user_ids.pp @@ -1,4 +1,9 @@ -define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { +define monkeysphere::authorized_user_ids( + $user_ids, + $dest_dir = '/root/.monkeysphere', + $dest_file = 'authorized_user_ids', + $group = '') { + $user = $title $calculated_group = $group ? { '' => $user, diff --git a/manifests/import_key.pp b/manifests/import_key.pp index ec00fee..ba965ce 100644 --- a/manifests/import_key.pp +++ b/manifests/import_key.pp @@ -1,4 +1,8 @@ -define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { +define monkeysphere::import_key ( + $scheme = 'ssh://', + $port = '', + $path = '/etc/ssh/ssh_host_rsa_key', + $hostname = $fqdn ) { # if we're getting a port number, prefix with a colon so it's valid $prefixed_port = $port ? { @@ -10,7 +14,7 @@ define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ exec { "monkeysphere-host import-key $path $key": alias => "monkeysphere-import-key", - require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], - unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" + require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], + unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" } } diff --git a/manifests/init.pp b/manifests/init.pp index 4d48ed3..30035be 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,41 +27,39 @@ class monkeysphere( $keyserver = 'pool.sks-keyservers.net' ) { # The needed packages - package{'monkeysphere': + package { 'monkeysphere': ensure => $ensure_version, } $key = "ssh://${::fqdn}${port}" common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } - # This was the old way which the module checked monkeysphere keys - file { "/usr/local/sbin/monkeysphere-check-key": - ensure => absent, - owner => root, - group => root, - mode => 0755, - content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false", - } - file { "monkeysphere_conf": - path => "/etc/monkeysphere/monkeysphere.conf", - mode => 644, - ensure => present, - content => template("monkeysphere/monkeysphere.conf.erb"), - require => Package['monkeysphere'], - } - file { "monkeysphere_host_conf": - path => "/etc/monkeysphere/monkeysphere-host.conf", - mode => 644, - ensure => present, - content => template("monkeysphere/monkeysphere-host.conf.erb"), - require => Package['monkeysphere'], - } - file { "monkeysphere_authentication_conf": - path => "/etc/monkeysphere/monkeysphere-authentication.conf", - mode => 644, - ensure => present, - content => template("monkeysphere/monkeysphere-authentication.conf.erb"), - require => Package['monkeysphere'], + file { + # This was the old way which the module checked monkeysphere keys + '/usr/local/sbin/monkeysphere-check-key': + ensure => absent, + owner => root, + group => root, + mode => 0755, + content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false"; + 'monkeysphere_conf': + path => '/etc/monkeysphere/monkeysphere.conf', + mode => 644, + ensure => present, + content => template('monkeysphere/monkeysphere.conf.erb'), + require => Package['monkeysphere']; + 'monkeysphere_host_conf': + path => '/etc/monkeysphere/monkeysphere-host.conf', + mode => 644, + ensure => present, + content => template('monkeysphere/monkeysphere-host.conf.erb'), + require => Package['monkeysphere']; + 'monkeysphere_authentication_conf': + path => '/etc/monkeysphere/monkeysphere-authentication.conf', + mode => 644, + ensure => present, + content => template('monkeysphere/monkeysphere-authentication.conf.erb'), + require => Package['monkeysphere']; } } diff --git a/manifests/owner_trust.pp b/manifests/owner_trust.pp index 765a1f8..0e0af7f 100644 --- a/manifests/owner_trust.pp +++ b/manifests/owner_trust.pp @@ -1,4 +1,8 @@ -define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) { +define monkeysphere::owner_trust ( + $fingerprint, + $user = 'root', + $level = 6 ) { + $keyserver_arg = $monkeysphere_keyserver ? { '' => '', default => "--keyserver $monkeysphere_keyserver" diff --git a/manifests/publish_server_keys.pp b/manifests/publish_server_keys.pp index 81e32aa..33e070e 100644 --- a/manifests/publish_server_keys.pp +++ b/manifests/publish_server_keys.pp @@ -2,6 +2,6 @@ define monkeysphere::publish_server_keys ( $keyid = '--all' ) { exec { "monkeysphere-host publish-keys $keyid": environment => "MONKEYSPHERE_PROMPT=false", - require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ]; } } -- cgit v1.2.3 From db082697788659730e91aa34fa293b8cab7029d9 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 16 Oct 2013 16:07:19 -0400 Subject: move away from debian-specific cron.d towards standard cron type --- files/etc/cron.d/update-monkeysphere-auth | 1 - manifests/sshserver.pp | 10 ++++------ 2 files changed, 4 insertions(+), 7 deletions(-) delete mode 100644 files/etc/cron.d/update-monkeysphere-auth diff --git a/files/etc/cron.d/update-monkeysphere-auth b/files/etc/cron.d/update-monkeysphere-auth deleted file mode 100644 index 06bb5ae..0000000 --- a/files/etc/cron.d/update-monkeysphere-auth +++ /dev/null @@ -1 +0,0 @@ -*/5 * * * * root /usr/sbin/monkeysphere-authentication update-users diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp index 43c0f6f..43f6a3d 100644 --- a/manifests/sshserver.pp +++ b/manifests/sshserver.pp @@ -10,12 +10,10 @@ class monkeysphere::sshserver { } } - file{'/etc/cron.d/update-monkeysphere-auth': - ensure => present, - source => 'puppet:///modules/monkeysphere/etc/cron.d/update-monkeysphere-auth', + cron {'update-monkeysphere-auth': + command => '/usr/sbin/monkeysphere-authentication update-users', + user => root, + minute => '*/5', require => Package['monkeysphere'], - mode => '0644', - owner => root, - group => root, } } -- cgit v1.2.3 From a8ed6675632af316c2eb7223088e12da3e4ee129 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 6 Nov 2013 16:58:24 -0500 Subject: RAW_AUTHORIZED_KEYS support --- manifests/init.pp | 4 ++++ templates/monkeysphere.conf.erb | 2 ++ 2 files changed, 6 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 30035be..b360098 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -24,6 +24,10 @@ class monkeysphere( $ssh_port = '', $publish_key = false, $ensure_version = 'installed', + # if not false, will override the path for MONKEYSPHERE_RAW_AUTHORIZED_KEYS + # use 'none' to disable appending the authorized_keys file + # see monkeysphere-authentication for more information + $raw_authorized_keys = false, $keyserver = 'pool.sks-keyservers.net' ) { # The needed packages diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb index 53e4b9e..f7988b8 100644 --- a/templates/monkeysphere.conf.erb +++ b/templates/monkeysphere.conf.erb @@ -37,3 +37,5 @@ # The path to the SSH authorized_keys file. #AUTHORIZED_KEYS=~/.ssh/authorized_keys + +<% if @raw_authorized_keys %>RAW_AUTHORIZED_KEYS=<%= @raw_authorized_keys %><% end %> -- cgit v1.2.3 From 17b7e2d0f2292b673fb0b6fb47a8655ff1fe2a8b Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 6 Nov 2013 17:00:40 -0500 Subject: remove unused variable --- manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index b360098..8e80494 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,7 +22,6 @@ class monkeysphere( $ssh_port = '', - $publish_key = false, $ensure_version = 'installed', # if not false, will override the path for MONKEYSPHERE_RAW_AUTHORIZED_KEYS # use 'none' to disable appending the authorized_keys file -- cgit v1.2.3 From 09d4ccd2c1bbdfc1703352ba6efa0113798eaaec Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Mon, 18 Nov 2013 15:06:44 -0500 Subject: fix typo in modules_dir directive --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 8e80494..5c2ac5a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,7 +36,7 @@ class monkeysphere( $key = "ssh://${::fqdn}${port}" - common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } + common::modules_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } file { # This was the old way which the module checked monkeysphere keys -- cgit v1.2.3 From faf9c3f30d26594e749ed6b6c10f5e29b815834f Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Mon, 18 Nov 2013 15:10:57 -0500 Subject: fix path to modules_dir --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 5c2ac5a..31c341d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -36,7 +36,7 @@ class monkeysphere( $key = "ssh://${::fqdn}${port}" - common::modules_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } + modules_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } file { # This was the old way which the module checked monkeysphere keys -- cgit v1.2.3 From 70faa645fd9c0359c90a7a310d934dc7d8d493b7 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Mon, 18 Nov 2013 23:04:42 -0500 Subject: silence cronjob because it's too noisy see https://labs.riseup.net/code/issues/6428 --- manifests/sshserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp index 43f6a3d..8782155 100644 --- a/manifests/sshserver.pp +++ b/manifests/sshserver.pp @@ -11,7 +11,7 @@ class monkeysphere::sshserver { } cron {'update-monkeysphere-auth': - command => '/usr/sbin/monkeysphere-authentication update-users', + command => '/usr/sbin/monkeysphere-authentication update-users > /dev/null', user => root, minute => '*/5', require => Package['monkeysphere'], -- cgit v1.2.3 From 25116e419c6af78132b777af106bef8edfb2f962 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Mon, 18 Nov 2013 23:35:20 -0500 Subject: RAW_AUTHORIZED_KEYS belongs in monkeysphere-authentication.conf, not monkeysphere.conf --- templates/monkeysphere-authentication.conf.erb | 3 +++ templates/monkeysphere.conf.erb | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb index 1b13cfd..a76e6b8 100644 --- a/templates/monkeysphere-authentication.conf.erb +++ b/templates/monkeysphere-authentication.conf.erb @@ -32,3 +32,6 @@ # username of the user. Setting this variable to 'none' prevents the # inclusion of user controlled authorized_keys file. #RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" +<% if @raw_authorized_keys -%> +RAW_AUTHORIZED_KEYS=<%= @raw_authorized_keys -%> +<% end -%> diff --git a/templates/monkeysphere.conf.erb b/templates/monkeysphere.conf.erb index f7988b8..53e4b9e 100644 --- a/templates/monkeysphere.conf.erb +++ b/templates/monkeysphere.conf.erb @@ -37,5 +37,3 @@ # The path to the SSH authorized_keys file. #AUTHORIZED_KEYS=~/.ssh/authorized_keys - -<% if @raw_authorized_keys %>RAW_AUTHORIZED_KEYS=<%= @raw_authorized_keys %><% end %> -- cgit v1.2.3 From 5dc585e642997c12eea120963b771c9a46d4aada Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Thu, 21 Nov 2013 15:38:34 -0500 Subject: also silence stderr, as some warnings go there see thousands of tickets RT --- manifests/sshserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp index 8782155..27d2222 100644 --- a/manifests/sshserver.pp +++ b/manifests/sshserver.pp @@ -11,7 +11,7 @@ class monkeysphere::sshserver { } cron {'update-monkeysphere-auth': - command => '/usr/sbin/monkeysphere-authentication update-users > /dev/null', + command => '/usr/sbin/monkeysphere-authentication update-users > /dev/null 2>&1', user => root, minute => '*/5', require => Package['monkeysphere'], -- cgit v1.2.3 From 71072d8ef1a924484cf7b20af3b57f2f9a1dc8c8 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Thu, 21 Nov 2013 16:33:00 -0500 Subject: silence failures to show keys that would spam puppet output --- lib/facter/monkeysphere.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/monkeysphere.rb b/lib/facter/monkeysphere.rb index 1d7d68e..6f48a4d 100644 --- a/lib/facter/monkeysphere.rb +++ b/lib/facter/monkeysphere.rb @@ -5,7 +5,7 @@ ssh_fingerprint = ' ' if File.exist?('/usr/sbin/monkeysphere-host') - sk = %x{/usr/sbin/monkeysphere-host show-keys} + sk = %x{/usr/sbin/monkeysphere-host show-keys 2>/dev/null} if $? == 0 has_hostkey = true sk.lines.each do |line| -- cgit v1.2.3 From 6090ef1d2316e79c2908cea72b916496fd0b0620 Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Fri, 7 Feb 2014 15:30:39 -0500 Subject: follow upstream config file syntax to avoid unnecessary changes --- templates/monkeysphere-authentication.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/monkeysphere-authentication.conf.erb b/templates/monkeysphere-authentication.conf.erb index a76e6b8..b489a68 100644 --- a/templates/monkeysphere-authentication.conf.erb +++ b/templates/monkeysphere-authentication.conf.erb @@ -25,7 +25,7 @@ # For purely admin-controlled authorized_user_ids, you might put them # in /etc/monkeysphere/authorized_user_ids/%u, for instance. #AUTHORIZED_USER_IDS="%h/.monkeysphere/authorized_user_ids" -# + # Path to a user controlled authorized_keys file to be added to the # monkeysphere-generated authorized_keys file. '%h' will be replaced # by the home directory of the user, and '%u' will by replaced by the -- cgit v1.2.3 From 39631404dc41f706ad665ad2770e9c48b98a98fa Mon Sep 17 00:00:00 2001 From: Antoine Beaupré Date: Wed, 19 Mar 2014 14:42:14 -0400 Subject: randomize monkeysphere sync to relieve office bandwidth, see #13275 side effect: run at every hour instead of 5 minutes --- manifests/sshserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/sshserver.pp b/manifests/sshserver.pp index 27d2222..a525b55 100644 --- a/manifests/sshserver.pp +++ b/manifests/sshserver.pp @@ -13,7 +13,7 @@ class monkeysphere::sshserver { cron {'update-monkeysphere-auth': command => '/usr/sbin/monkeysphere-authentication update-users > /dev/null 2>&1', user => root, - minute => '*/5', + minute => fqdn_rand(60), require => Package['monkeysphere'], } } -- cgit v1.2.3