aboutsummaryrefslogtreecommitdiff
path: root/manifests/ssh_authorized_key.pp
blob: 2436df66c8edc1fb350e343fdf25bfef73199c32 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# wrapper to have some defaults.
define sshd::ssh_authorized_key(
    $ensure = 'present',
    $type = 'ssh-dss',
    $key = 'absent',
    $user = '',
    $target = undef,
    $options = 'absent',
    $override_builtin = undef
){

  if ($ensure=='present') and ($key=='absent') {
    fail("You have to set \$key for Sshd::Ssh_authorized_key[${name}]!")
  }

  $real_user = $user ? {
    false   => $name,
    ''      => $name,
    default => $user,
  }

  case $target {
    undef,'': {
      case $real_user {
        'root': { $real_target = '/root/.ssh/authorized_keys' }
        default: { $real_target = "/home/${real_user}/.ssh/authorized_keys" }
      }
    }
    default: {
      $real_target = $target
    }
  }

  # The ssh_authorized_key built-in function (in 2.7.23 at least)
  # will not write an authorized_keys file for a mortal user to
  # a directory they don't have write permission to, puppet attempts to
  # create the file as the user specified with the user parameter and fails.
  # Since ssh will refuse to use authorized_keys files not owned by the
  # user, or in files/directories that allow other users to write, this
  # behavior is deliberate in order to prevent typical non-working
  # configurations. However, it also prevents the case of puppet, running
  # as root, writing a file owned by a mortal user to a common
  # authorized_keys directory such as one might specify in sshd_config with
  # something like
  #  'AuthorizedKeysFile /etc/ssh/authorized_keys/%u'
  # So we provide a way to override the built-in and instead just install
  # via a file resource. There is no additional security risk here, it's
  # nothing a user can't already do by writing their own file resources,
  # we still depend on the filesystem permissions to keep things safe.
  if $override_builtin {
    case $options {
      'absent': {
        info("not setting any option for ssh_authorized_key: ${name}")

        file { '$real_target':
          ensure => $ensure,
          content => '$type $key',
          owner => '$real_user',
          mode => '0600';
        }
      }
      default: {
        file { '$real_target':
          ensure => $ensure,
          content => '$options $type $key',
          owner => '$real_user',
          mode => '0600';
        }
      }
    }
  } else {
    ssh_authorized_key{$name:
      ensure => $ensure,
      type   => $type,
      key    => $key,
      user   => $real_user,
      target => $real_target,
    }

    case $options {
      'absent': {
        info("not setting any option for ssh_authorized_key: ${name}")
      }
      default: {
        Ssh_authorized_key[$name]{
          options => $options,
        }
      }
    }
  }
}