forked from ungleich-public/cdist
new type: __ssh_authorized_keys - manage ssh authorized_keys files
Signed-off-by: Steven Armstrong <steven@icarus.ethz.ch>
This commit is contained in:
parent
af3dad0196
commit
1ef5bcaa74
8 changed files with 332 additions and 0 deletions
45
cdist/conf/type/__ssh_authorized_keys/explorer/entry
Executable file
45
cdist/conf/type/__ssh_authorized_keys/explorer/entry
Executable file
|
@ -0,0 +1,45 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# 2012 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
|
||||||
|
if [ -f "$__object/parameter/file" ]; then
|
||||||
|
file="$(cat "$__object/parameter/file")"
|
||||||
|
else
|
||||||
|
home="$("$__type_explorer/passwd" | cut -d':' -f 6)"
|
||||||
|
file="$home/.ssh/authorized_keys"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# no authorized_keys file, nothing we could do
|
||||||
|
[ -f "$file" ] || exit 0
|
||||||
|
|
||||||
|
# NOTE: keep variables in sync in manifest/explorer/gencode-*
|
||||||
|
prefix="#cdist:$__object_name"
|
||||||
|
suffix="#/cdist:$__object_name"
|
||||||
|
awk -v prefix="$prefix" -v suffix="$suffix" '{
|
||||||
|
if (index($0,prefix)) {
|
||||||
|
triggered=1
|
||||||
|
}
|
||||||
|
if (triggered) {
|
||||||
|
if (index($0,suffix)) {
|
||||||
|
triggered=0
|
||||||
|
}
|
||||||
|
print
|
||||||
|
}
|
||||||
|
}' "$file"
|
23
cdist/conf/type/__ssh_authorized_keys/explorer/passwd
Executable file
23
cdist/conf/type/__ssh_authorized_keys/explorer/passwd
Executable file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# 2012 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
|
||||||
|
|
||||||
|
getent passwd "$owner" || true
|
82
cdist/conf/type/__ssh_authorized_keys/gencode-remote
Executable file
82
cdist/conf/type/__ssh_authorized_keys/gencode-remote
Executable file
|
@ -0,0 +1,82 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# 2012 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
|
||||||
|
if [ -f "$__object/parameter/file" ]; then
|
||||||
|
file="$(cat "$__object/parameter/file")"
|
||||||
|
else
|
||||||
|
home="$(cut -d':' -f 6 "$__object/explorer/passwd")"
|
||||||
|
file="$home/.ssh/authorized_keys"
|
||||||
|
fi
|
||||||
|
|
||||||
|
entry="$__object/files/entry"
|
||||||
|
if [ ! -s "$__object/explorer/entry" ]; then
|
||||||
|
state_is='absent'
|
||||||
|
else
|
||||||
|
state_is=$(diff -q "$entry" "$__object/explorer/entry" >/dev/null \
|
||||||
|
&& echo present \
|
||||||
|
|| echo changed
|
||||||
|
)
|
||||||
|
fi
|
||||||
|
|
||||||
|
state_should="$(cat "$__object/parameter/state" 2>/dev/null || echo present)"
|
||||||
|
if [ "$state_should" = "$state_is" ]; then
|
||||||
|
# Nothing to do, move along
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
remove_entry() {
|
||||||
|
# NOTE: keep variables in sync in manifest/explorer/gencode-*
|
||||||
|
prefix="#cdist:$__object_name"
|
||||||
|
suffix="#/cdist:$__object_name"
|
||||||
|
cat << DONE
|
||||||
|
tmpfile=\$(mktemp)
|
||||||
|
awk -v prefix="$prefix" -v suffix="$suffix" '
|
||||||
|
{
|
||||||
|
if (index(\$0,prefix)) {
|
||||||
|
triggered=1
|
||||||
|
}
|
||||||
|
if (triggered) {
|
||||||
|
if (index(\$0,suffix)) {
|
||||||
|
triggered=0
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
print
|
||||||
|
}
|
||||||
|
}' "$file" > "\$tmpfile"
|
||||||
|
mv -f "\$tmpfile" "$file"
|
||||||
|
DONE
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$state_should" in
|
||||||
|
present)
|
||||||
|
if [ "$state_is" = "changed" ]; then
|
||||||
|
remove_entry
|
||||||
|
fi
|
||||||
|
cat << DONE
|
||||||
|
cat >> "$file" << ${__type##*/}_DONE
|
||||||
|
$(cat "$entry")
|
||||||
|
${__type##*/}_DONE
|
||||||
|
DONE
|
||||||
|
;;
|
||||||
|
absent)
|
||||||
|
remove_entry
|
||||||
|
;;
|
||||||
|
esac
|
101
cdist/conf/type/__ssh_authorized_keys/man.text
Normal file
101
cdist/conf/type/__ssh_authorized_keys/man.text
Normal file
|
@ -0,0 +1,101 @@
|
||||||
|
cdist-type__ssh_authorized_keys(7)
|
||||||
|
==================================
|
||||||
|
Steven Armstrong <steven-cdist--@--armstrong.cc>
|
||||||
|
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__ssh_authorized_keys - manage ssh authorized_keys files
|
||||||
|
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
Adds or removes ssh keys from a authorized_keys file.
|
||||||
|
|
||||||
|
This type also manages the directory containing the authorized_keys
|
||||||
|
file and sets strict ownership and permissions. You can disable this feature
|
||||||
|
with the --noparent boolean parameter.
|
||||||
|
|
||||||
|
The existence, ownership and permissions of the authorized_keys file itself are
|
||||||
|
also managed. This can be disabled with the --nofile boolean parameter. It is
|
||||||
|
then left to the user to ensure that the file exists and that ownership and
|
||||||
|
permissions work with ssh.
|
||||||
|
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
key::
|
||||||
|
the ssh key which shall be added to this authorized_keys file.
|
||||||
|
Must be a string and can be specified multiple times.
|
||||||
|
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
owner::
|
||||||
|
the user owning the authorized_keys file, defaults to object_id.
|
||||||
|
|
||||||
|
state::
|
||||||
|
if the given keys should be 'present' or 'absent', defaults to 'present'.
|
||||||
|
|
||||||
|
file::
|
||||||
|
an alternative destination file, defaults to ~$owner/.ssh/authorized_keys
|
||||||
|
|
||||||
|
comment::
|
||||||
|
an optional comment
|
||||||
|
|
||||||
|
|
||||||
|
BOOLEAN PARAMETERS
|
||||||
|
------------------
|
||||||
|
noparent::
|
||||||
|
don't create or change ownership and permissions of the directory containing
|
||||||
|
the authorized_keys file
|
||||||
|
|
||||||
|
nofile::
|
||||||
|
don't manage existence, ownership and permissions of the the authorized_keys
|
||||||
|
file
|
||||||
|
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
# add your ssh key to remote root's authorized_keys file
|
||||||
|
__ssh_authorized_keys root \
|
||||||
|
--key "$(cat ~/.ssh/id_rsa.pub)"
|
||||||
|
|
||||||
|
# allow key to login as user-name
|
||||||
|
__ssh_authorized_keys user-name \
|
||||||
|
--key "ssh-rsa AXYZAAB3NzaC1yc2..."
|
||||||
|
|
||||||
|
# same as above, but with explicit owner, two keys and a comment
|
||||||
|
__ssh_authorized_keys some-fancy-id \
|
||||||
|
--owner user-name \
|
||||||
|
--key "ssh-rsa AXYZAAB3NzaC1yc2..." \
|
||||||
|
--key "ssh-rsa AZXYAAB3NzaC1yc2..." \
|
||||||
|
--comment "allow the members of project foo to login"
|
||||||
|
|
||||||
|
# same as above, but authorized_keys file in non standard location
|
||||||
|
__ssh_authorized_keys some-fancy-id \
|
||||||
|
--file /etc/ssh/keys/user-name/authorized_keys \
|
||||||
|
--owner user-name \
|
||||||
|
--key "ssh-rsa AXYZAAB3NzaC1yc2..."
|
||||||
|
|
||||||
|
# same as above, but directory and authorized_keys file is created elswhere
|
||||||
|
__ssh_authorized_keys some-fancy-id \
|
||||||
|
--file /etc/ssh/keys/user-name/authorized_keys \
|
||||||
|
--owner user-name \
|
||||||
|
--noparent \
|
||||||
|
--nofile \
|
||||||
|
--key "ssh-rsa AXYZAAB3NzaC1yc2..."
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
- cdist-type(7)
|
||||||
|
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2012 Steven Armstrong. Free use of this software is
|
||||||
|
granted under the terms of the GNU General Public License version 3 (GPLv3).
|
74
cdist/conf/type/__ssh_authorized_keys/manifest
Executable file
74
cdist/conf/type/__ssh_authorized_keys/manifest
Executable file
|
@ -0,0 +1,74 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# 2012 Steven Armstrong (steven-cdist at armstrong.cc)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
|
||||||
|
owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
|
||||||
|
state="$(cat "$__object/parameter/present" 2>/dev/null || echo "present")"
|
||||||
|
if [ -f "$__object/parameter/file" ]; then
|
||||||
|
file="$(cat "$__object/parameter/file")"
|
||||||
|
else
|
||||||
|
home="$(cut -d':' -f 6 "$__object/explorer/passwd")"
|
||||||
|
if [ -z "$home" ]; then
|
||||||
|
echo "Failed to get home directory from explorer." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
file="$home/.ssh/authorized_keys"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "$__object/parameter/noparent" -o ! -f "$__object/parameter/nofile" ]; then
|
||||||
|
group="$(cut -d':' -f 4 "$__object/explorer/passwd")"
|
||||||
|
if [ -z "$group" ]; then
|
||||||
|
echo "Failed to get owners group from explorer." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "$__object/parameter/noparent" ]; then
|
||||||
|
# Ensure that the directory in which the authorized_keys shall be exists and
|
||||||
|
# has the right permissions.
|
||||||
|
ssh_directory="${file%/*}"
|
||||||
|
__directory "$ssh_directory" --state present --parents \
|
||||||
|
--owner "$owner" --group "$group" --mode 0700
|
||||||
|
export require="__directory/$ssh_directory"
|
||||||
|
fi
|
||||||
|
if [ ! -f "$__object/parameter/nofile" ]; then
|
||||||
|
# Ensure that authorized_keys file exists and has the right permissions.
|
||||||
|
__file "$file" \
|
||||||
|
--owner "$owner" \
|
||||||
|
--group "$group" \
|
||||||
|
--mode 0600 \
|
||||||
|
--state exists
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# NOTE: keep variables in sync in manifest/explorer/gencode-*
|
||||||
|
prefix="#cdist:$__object_name"
|
||||||
|
suffix="#/cdist:$__object_name"
|
||||||
|
|
||||||
|
mkdir "$__object/files"
|
||||||
|
|
||||||
|
# Generate entry for inclusion in authorized_keys file
|
||||||
|
entry="$__object/files/entry"
|
||||||
|
echo "$prefix" > "$entry"
|
||||||
|
if [ -f "$__object/parameter/comment" ]; then
|
||||||
|
echo "# $(cat "$__object/parameter/comment")" >> "$entry"
|
||||||
|
fi
|
||||||
|
cat "$__object/parameter/key" >> "$entry"
|
||||||
|
# ensure we have a newline after keys
|
||||||
|
echo >> "$entry"
|
||||||
|
echo "$suffix" >> "$entry"
|
2
cdist/conf/type/__ssh_authorized_keys/parameter/boolean
Normal file
2
cdist/conf/type/__ssh_authorized_keys/parameter/boolean
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
noparent
|
||||||
|
nofile
|
4
cdist/conf/type/__ssh_authorized_keys/parameter/optional
Normal file
4
cdist/conf/type/__ssh_authorized_keys/parameter/optional
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
owner
|
||||||
|
state
|
||||||
|
file
|
||||||
|
comment
|
|
@ -0,0 +1 @@
|
||||||
|
key
|
Loading…
Reference in a new issue