-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Simon Murray
committed
Sep 19, 2014
1 parent
bb354bc
commit a6b1f44
Showing
2 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#datacentred-passwordless_ssh | ||
|
||
#### Table of Contents | ||
|
||
1. [Overview](#overview) | ||
2. [Module Description - What the module does and why it is useful](#module-description) | ||
3. [Usage - Configuration options and additional functionality](#usage) | ||
|
||
## Overview | ||
|
||
Sets up passwordless ssh for a given user with optional privilege escalation | ||
|
||
## Module Description | ||
|
||
Provided an existing user account this module will create the necessary directories, key files and authorize remote logins. Unfortunately due to the nature of ssh we also need to disable strict host checking for this user at present. | ||
|
||
Optionally this module allows the creation of sudo access for the remote user with full control over which accounts and applications can be accessed. | ||
|
||
## Usage | ||
|
||
To allows simple remote ssh access: | ||
|
||
passwordless_ssh { 'cephdeploy': | ||
ssh_private_key => '-----BEGIN RSA PRIVATE KEY----- ...', | ||
ssh_public_key => 'AAAAB3NzaC1yc2EAAA ...', | ||
} | ||
|
||
To allow remote access with sudo rights: | ||
|
||
passwordless_ssh { 'dhcp_sync_agent': | ||
ssh_private_key => '-----BEGIN RSA PRIVATE KEY----- ...', | ||
ssh_public_key => 'AAAAB3NzaC1yc2EAAA ...', | ||
sudo => 'true', | ||
sudo_users => 'root', | ||
sudo_applications => '/etc/init.d/isc-dhcp-server', | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
# == Define: passwordless_ssh | ||
# | ||
# Common pattern to define passwordless ssh access for a | ||
# particular user. Additionally allows sudo access for | ||
# said user if required | ||
# | ||
# === Parameters | ||
# | ||
# [*title*] | ||
# User account to generate the passwordless access for [Mandatory] | ||
# | ||
# [*ssh_private_key*] | ||
# Full private key file contents [Mandatory] | ||
# | ||
# [*ssh_public_key*] | ||
# Public key portion of the public key file [Mandatory] | ||
# | ||
# [*sudo*] | ||
# Whether the remote client needs sudo rights [Optional] | ||
# | ||
# [*sudo_host*] | ||
# Hosts or IPs allowed sudo access [Optional] | ||
# | ||
# [*sudo_users*] | ||
# User accounts that sudo allows to be accessed [Optional] | ||
# | ||
# [*sudo_applications*] | ||
# Applications sudo is allowed to execute [Optional] | ||
# | ||
define passwordless_ssh ( | ||
$ssh_private_key, | ||
$ssh_public_key, | ||
$sudo = false, | ||
$sudo_host = 'ALL', | ||
$sudo_users = 'ALL', | ||
$sudo_applications = 'ALL', | ||
) { | ||
|
||
File { | ||
owner => $title, | ||
group => $ssh_group, | ||
} | ||
|
||
file { "/home/${title}/.ssh": | ||
ensure => directory, | ||
mode => '0755', | ||
} -> | ||
|
||
file { "/home/${title}/.ssh/id_rsa": | ||
ensure => file, | ||
mode => '0400', | ||
content => $ssh_private_key, | ||
} -> | ||
|
||
file { "/home/${title}/.ssh/id_rsa.pub": | ||
ensure => file, | ||
mode => '0644', | ||
content => inline_template("ssh-rsa ${ssh_public_key} ${title}@${::fqdn}"), | ||
} -> | ||
|
||
ssh_authorized_key { "${title}@${::fqdn}": | ||
user => $title, | ||
type => 'ssh-rsa', | ||
key => $ssh_public_key, | ||
} | ||
|
||
if $sudo { | ||
|
||
file { "/etc/sudoers.d/${title}": | ||
ensure => file, | ||
owner => 'root', | ||
group => 'root', | ||
mode => '0440', | ||
content => inline_template("${title} ${sudo_host}=(${sudo_users}) NOPASSWD:${sudo_applications}"), | ||
} | ||
|
||
} | ||
|
||
} |
a6b1f44
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be good to be able to name the keypair files - if an account has several keypairs, for instance.
a6b1f44
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Baby steps my good man! Cater for the need, engineer when use cases arise. To be honest you do raise the point that stuff needs to be tested for regression purposes. Work work work, damn you Sean, hold up we have an intern >:)