Merge branch '__ssh_authorized_keys_remove_unknown' into 'master'
[__ssh_authorized_keys] add --remove-unknown parameter See merge request ungleich-public/cdist!884
This commit is contained in:
commit
b99f1eda0f
4 changed files with 44 additions and 1 deletions
8
cdist/conf/type/__ssh_authorized_keys/explorer/keys
Executable file
8
cdist/conf/type/__ssh_authorized_keys/explorer/keys
Executable file
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
file="$( . "$__type_explorer/file" )"
|
||||||
|
|
||||||
|
if [ -f "$file" ]
|
||||||
|
then
|
||||||
|
cat "$file"
|
||||||
|
fi
|
|
@ -60,6 +60,9 @@ nofile
|
||||||
Don't manage existence, ownership and permissions of the the authorized_keys
|
Don't manage existence, ownership and permissions of the the authorized_keys
|
||||||
file.
|
file.
|
||||||
|
|
||||||
|
remove-unknown
|
||||||
|
Remove undefined keys.
|
||||||
|
|
||||||
|
|
||||||
EXAMPLES
|
EXAMPLES
|
||||||
--------
|
--------
|
||||||
|
@ -70,6 +73,12 @@ EXAMPLES
|
||||||
__ssh_authorized_keys root \
|
__ssh_authorized_keys root \
|
||||||
--key "$(cat ~/.ssh/id_rsa.pub)"
|
--key "$(cat ~/.ssh/id_rsa.pub)"
|
||||||
|
|
||||||
|
# same as above, but make sure your key is only key in
|
||||||
|
# root's authorized_keys file
|
||||||
|
__ssh_authorized_keys root \
|
||||||
|
--key "$(cat ~/.ssh/id_rsa.pub)" \
|
||||||
|
--remove-unknown
|
||||||
|
|
||||||
# allow key to login as user-name
|
# allow key to login as user-name
|
||||||
__ssh_authorized_keys user-name \
|
__ssh_authorized_keys user-name \
|
||||||
--key "ssh-rsa AXYZAAB3NzaC1yc2..."
|
--key "ssh-rsa AXYZAAB3NzaC1yc2..."
|
||||||
|
|
|
@ -55,8 +55,12 @@ _cksum() {
|
||||||
echo "$1" | cksum | cut -d' ' -f 1
|
echo "$1" | cksum | cut -d' ' -f 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_type_and_key() {
|
||||||
|
echo "$1" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }'
|
||||||
|
}
|
||||||
|
|
||||||
while read -r key; do
|
while read -r key; do
|
||||||
type_and_key="$(echo "$key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')"
|
type_and_key="$( _type_and_key "$key" )"
|
||||||
object_id="$(_cksum "$file")-$(_cksum "$type_and_key")"
|
object_id="$(_cksum "$file")-$(_cksum "$type_and_key")"
|
||||||
set -- "$object_id"
|
set -- "$object_id"
|
||||||
set -- "$@" --file "$file"
|
set -- "$@" --file "$file"
|
||||||
|
@ -72,3 +76,24 @@ while read -r key; do
|
||||||
# Ensure __ssh_authorized_key does not read stdin
|
# Ensure __ssh_authorized_key does not read stdin
|
||||||
__ssh_authorized_key "$@" < /dev/null
|
__ssh_authorized_key "$@" < /dev/null
|
||||||
done < "$__object/parameter/key"
|
done < "$__object/parameter/key"
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/remove-unknown" ] &&
|
||||||
|
[ -s "$__object/explorer/keys" ]
|
||||||
|
then
|
||||||
|
while read -r key
|
||||||
|
do
|
||||||
|
type_and_key="$( _type_and_key "$key" )"
|
||||||
|
|
||||||
|
if grep -Fq "$type_and_key" "$__object/parameter/key"
|
||||||
|
then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
__ssh_authorized_key "remove-$( _cksum "$file$key" )" \
|
||||||
|
--file "$file" \
|
||||||
|
--key "$key" \
|
||||||
|
--state absent \
|
||||||
|
< /dev/null
|
||||||
|
done \
|
||||||
|
< "$__object/explorer/keys"
|
||||||
|
fi
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
noparent
|
noparent
|
||||||
nofile
|
nofile
|
||||||
|
remove-unknown
|
||||||
|
|
Loading…
Reference in a new issue