1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
# ensure that the user has a gpg key created and it is authentication capable
# in the monkeysphere. This is intended to be the same as generated a
# password-less ssh key
#
define monkeysphere::auth_capable_user (
$expire = "1y",
$length = "2048",
$uid_name = undef,
$email = undef ) {
$user = $title
# The goal is no passphrase, monkeysphere won't work without a passphrase.
$calculated_passphrase = $gpg_auto_password ? {
'' => 'monkeys',
default => $gpg_auto_password
}
$calculated_name = $uid_name ? {
'' => "$user user",
default => $uid_name
}
$calculated_email = $email ? {
'' => "$user@$fqdn",
default => $email
}
exec { "monkeysphere-gen-key-$user":
command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key",
require => [ Package["monkeysphere"] ],
user => $user,
unless => "gpg --list-secret-key | grep ^sec >/dev/null"
}
#FIXME - we should check expiration date and extend it if we're < n days before expiration
# handle auth subkey
exec { "monkeysphere-gen-subkey-$user":
command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey",
require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
user => $user,
unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null"
}
}
|