diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2016-03-19 10:17:30 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2016-03-19 10:17:30 -0300 |
commit | ff79bc6295e9f089285ccc26c04cc72893a8384f (patch) | |
tree | 1a84dad2d03bc3814305eeaedb4cfd8d8dc09f36 /manifests/ssh_authorized_key.pp | |
parent | 9b1d0f06fee4b0c457d0154c4153415758c10425 (diff) | |
parent | 672b0985d1c2acfde58fecc4c635517522c86268 (diff) | |
download | puppet-sshd-ff79bc6295e9f089285ccc26c04cc72893a8384f.tar.gz puppet-sshd-ff79bc6295e9f089285ccc26c04cc72893a8384f.tar.bz2 |
Merge branch 'master' of https://gitlab.com/shared-puppet-modules-group/sshd
Conflicts:
README
templates/sshd_config/CentOS.erb
templates/sshd_config/CentOS_Final.erb
templates/sshd_config/Debian_etch.erb
templates/sshd_config/Debian_jessie.erb
templates/sshd_config/Debian_sid.erb
templates/sshd_config/Debian_squeeze.erb
templates/sshd_config/Debian_wheezy.erb
templates/sshd_config/Ubuntu_trusty.erb
Diffstat (limited to 'manifests/ssh_authorized_key.pp')
-rw-r--r-- | manifests/ssh_authorized_key.pp | 69 |
1 files changed, 53 insertions, 16 deletions
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp index 40649b0..80cb3b7 100644 --- a/manifests/ssh_authorized_key.pp +++ b/manifests/ssh_authorized_key.pp @@ -5,7 +5,8 @@ define sshd::ssh_authorized_key( $key = 'absent', $user = '', $target = undef, - $options = 'absent' + $options = 'absent', + $override_builtin = undef ){ if ($ensure=='present') and ($key=='absent') { @@ -13,8 +14,8 @@ define sshd::ssh_authorized_key( } $real_user = $user ? { - false => $name, - '' => $name, + false => $name, + '' => $name, default => $user, } @@ -29,20 +30,56 @@ define sshd::ssh_authorized_key( $real_target = $target } } - ssh_authorized_key{$name: - ensure => $ensure, - type => $type, - key => $key, - user => $real_user, - target => $real_target, - } - case $options { - 'absent': { info("not setting any option for ssh_authorized_key: $name") } - default: { - Ssh_authorized_key[$name]{ - options => $options, - } + # The ssh_authorized_key built-in function (in 2.7.23 at least) + # will not write an authorized_keys file for a mortal user to + # a directory they don't have write permission to, puppet attempts to + # create the file as the user specified with the user parameter and fails. + # Since ssh will refuse to use authorized_keys files not owned by the + # user, or in files/directories that allow other users to write, this + # behavior is deliberate in order to prevent typical non-working + # configurations. However, it also prevents the case of puppet, running + # as root, writing a file owned by a mortal user to a common + # authorized_keys directory such as one might specify in sshd_config with + # something like + # 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u' + # So we provide a way to override the built-in and instead just install + # via a file resource. There is no additional security risk here, it's + # nothing a user can't already do by writing their own file resources, + # we still depend on the filesystem permissions to keep things safe. + if $override_builtin { + $header = "# HEADER: This file is managed by Puppet.\n" + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + $content = "${header}${type} ${key}\n" + } else { + $content = "${header}${options} ${type} ${key}\n" + } + + file { $real_target: + ensure => $ensure, + content => $content, + owner => $real_user, + mode => '0600', + } + + } else { + + if $options == 'absent' { + info("not setting any option for ssh_authorized_key: ${name}") + } else { + $real_options = $options + } + + ssh_authorized_key{$name: + ensure => $ensure, + type => $type, + key => $key, + user => $real_user, + target => $real_target, + options => $real_options, } } + } |