1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
# wrapper to have some defaults.
define sshd::ssh_authorized_key(
$ensure = 'present',
$type = 'ssh-dss',
$key = 'absent',
$user = '',
$target = undef,
$options = 'absent',
$override_builtin = undef
){
if ($ensure=='present') and ($key=='absent') {
fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!")
}
$real_user = $user ? {
false => $name,
'' => $name,
default => $user,
}
case $target {
undef,'': {
case $real_user {
'root': { $real_target = '/root/.ssh/authorized_keys' }
default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }
}
}
default: {
$real_target = $target
}
}
# The ssh_authorized_key built-in function (in 2.7.23 at least)
# will not write an authorized_keys file for a mortal user to
# a directory they don't have write permission to, puppet attempts to
# create the file as the user specified with the user parameter and fails.
# Since ssh will refuse to use authorized_keys files not owned by the
# user, or in files/directories that allow other users to write, this
# behavior is deliberate in order to prevent typical non-working
# configurations. However, it also prevents the case of puppet, running
# as root, writing a file owned by a mortal user to a common
# authorized_keys directory such as one might specify in sshd_config with
# something like
# 'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
# So we provide a way to override the built-in and instead just install
# via a file resource. There is no additional security risk here, it's
# nothing a user can't already do by writing their own file resources,
# we still depend on the filesystem permissions to keep things safe.
if $override_builtin {
$header = "# HEADER: This file is managed by Puppet.\n"
if $options == 'absent' {
info("not setting any option for ssh_authorized_key: ${name}")
$content = "${header}${type} ${key}\n"
} else {
$content = "${header}${options} ${type} ${key}\n"
}
file { $real_target:
ensure => $ensure,
content => $content,
owner => $real_user,
mode => '0600',
}
} else {
if $options == 'absent' {
info("not setting any option for ssh_authorized_key: ${name}")
} else {
$real_options = $options
}
ssh_authorized_key{$name:
ensure => $ensure,
type => $type,
key => $key,
user => $real_user,
target => $real_target,
options => $real_options,
}
}
}
|