Initial commit

datacentred · Sep 19, 2014 · a6b1f44 · a6b1f44 · seanhandley · Sep 19, 2014
1 parent bb354bc
commit a6b1f44
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,36 @@
+#datacentred-passwordless_ssh
+
+#### Table of Contents
+
+1. [Overview](#overview)
+2. [Module Description - What the module does and why it is useful](#module-description)
+3. [Usage - Configuration options and additional functionality](#usage)
+
+## Overview
+
+Sets up passwordless ssh for a given user with optional privilege escalation
+
+## Module Description
+
+Provided an existing user account this module will create the necessary directories, key files and authorize remote logins.  Unfortunately due to the nature of ssh we also need to disable strict host checking for this user at present.
+
+Optionally this module allows the creation of sudo access for the remote user with full control over which accounts and applications can be accessed.
+
+## Usage
+
+To allows simple remote ssh access:
+
+    passwordless_ssh { 'cephdeploy':
+      ssh_private_key => '-----BEGIN RSA PRIVATE KEY----- ...',
+      ssh_public_key  => 'AAAAB3NzaC1yc2EAAA ...',
+    }
+
+To allow remote access with sudo rights:
+
+    passwordless_ssh { 'dhcp_sync_agent':
+      ssh_private_key   => '-----BEGIN RSA PRIVATE KEY----- ...',
+      ssh_public_key    => 'AAAAB3NzaC1yc2EAAA ...',
+      sudo              => 'true',
+      sudo_users        => 'root',
+      sudo_applications => '/etc/init.d/isc-dhcp-server',
+    }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -0,0 +1,79 @@
+# == Define: passwordless_ssh
+#
+# Common pattern to define passwordless ssh access for a
+# particular user.  Additionally allows sudo access for
+# said user if required
+#
+# === Parameters
+#
+# [*title*]
+#   User account to generate the passwordless access for [Mandatory]
+#
+# [*ssh_private_key*]
+#   Full private key file contents [Mandatory]
+#
+# [*ssh_public_key*]
+#   Public key portion of the public key file [Mandatory]
+#
+# [*sudo*]
+#   Whether the remote client needs sudo rights [Optional]
+#
+# [*sudo_host*]
+#   Hosts or IPs allowed sudo access [Optional]
+#
+# [*sudo_users*]
+#   User accounts that sudo allows to be accessed [Optional]
+#
+# [*sudo_applications*]
+#   Applications sudo is allowed to execute [Optional]
+#
+define passwordless_ssh (
+  $ssh_private_key,
+  $ssh_public_key,
+  $sudo = false,
+  $sudo_host = 'ALL',
+  $sudo_users = 'ALL',
+  $sudo_applications = 'ALL',
+) {
+
+  File {
+    owner => $title,
+    group => $ssh_group,
+  }
+
+  file { "/home/${title}/.ssh":
+    ensure => directory,
+    mode   => '0755',
+  } ->
+
+  file { "/home/${title}/.ssh/id_rsa":
+    ensure  => file,
+    mode    => '0400',
+    content => $ssh_private_key,
+  } ->
+
+  file { "/home/${title}/.ssh/id_rsa.pub":
+    ensure  => file,
+    mode    => '0644',
+    content => inline_template("ssh-rsa ${ssh_public_key} ${title}@${::fqdn}"),
+  } ->
+
+  ssh_authorized_key { "${title}@${::fqdn}":
+    user    => $title,
+    type    => 'ssh-rsa',
+    key     => $ssh_public_key,
+  }
+
+  if $sudo {
+
+    file { "/etc/sudoers.d/${title}":
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0440',
+      content => inline_template("${title}  ${sudo_host}=(${sudo_users}) NOPASSWD:${sudo_applications}"),
+    }
+
+  }
+
+}