aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/ssh_authorized_key.pp69
1 files changed, 56 insertions, 13 deletions
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
index 7201f8b..2436df6 100644
--- a/manifests/ssh_authorized_key.pp
+++ b/manifests/ssh_authorized_key.pp
@@ -5,7 +5,8 @@ define sshd::ssh_authorized_key(
$key = 'absent',
$user = '',
$target = undef,
- $options = 'absent'
+ $options = 'absent',
+ $override_builtin = undef
){
if ($ensure=='present') and ($key=='absent') {
@@ -29,19 +30,61 @@ define sshd::ssh_authorized_key(
$real_target = $target
}
}
- ssh_authorized_key{$name:
- ensure => $ensure,
- type => $type,
- key => $key,
- user => $real_user,
- target => $real_target,
- }
- case $options {
- 'absent': { info("not setting any option for ssh_authorized_key: ${name}") }
- default: {
- Ssh_authorized_key[$name]{
- options => $options,
+ # The ssh_authorized_key built-in function (in 2.7.23 at least)
+ # will not write an authorized_keys file for a mortal user to
+ # a directory they don't have write permission to, puppet attempts to
+ # create the file as the user specified with the user parameter and fails.
+ # Since ssh will refuse to use authorized_keys files not owned by the
+ # user, or in files/directories that allow other users to write, this
+ # behavior is deliberate in order to prevent typical non-working
+ # configurations. However, it also prevents the case of puppet, running
+ # as root, writing a file owned by a mortal user to a common
+ # authorized_keys directory such as one might specify in sshd_config with
+ # something like
+ # 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
+ # So we provide a way to override the built-in and instead just install
+ # via a file resource. There is no additional security risk here, it's
+ # nothing a user can't already do by writing their own file resources,
+ # we still depend on the filesystem permissions to keep things safe.
+ if $override_builtin {
+ case $options {
+ 'absent': {
+ info("not setting any option for ssh_authorized_key: ${name}")
+
+ file { '$real_target':
+ ensure => $ensure,
+ content => '$type $key',
+ owner => '$real_user',
+ mode => '0600';
+ }
+ }
+ default: {
+ file { '$real_target':
+ ensure => $ensure,
+ content => '$options $type $key',
+ owner => '$real_user',
+ mode => '0600';
+ }
+ }
+ }
+ } else {
+ ssh_authorized_key{$name:
+ ensure => $ensure,
+ type => $type,
+ key => $key,
+ user => $real_user,
+ target => $real_target,
+ }
+
+ case $options {
+ 'absent': {
+ info("not setting any option for ssh_authorized_key: ${name}")
+ }
+ default: {
+ Ssh_authorized_key[$name]{
+ options => $options,
+ }
}
}
}