Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Sftp user impovements #5

Merged
merged 3 commits into from

1 participant

@ckaenzig
Owner

No description provided.

ckaenzig added some commits
@ckaenzig ckaenzig ssh::sftp::user: set user shell to nologin d40c618
@ckaenzig ckaenzig ssh::sftp::user: add switch to avoid managing directories
Sftp users might be used to allow access to existing files and directories.
In that case, we don't want this definition to create or modify any directory.
c72ca82
@ckaenzig ckaenzig ssh::sftp::user: allow using password instead of ssh_key d3a7a9d
@ckaenzig ckaenzig merged commit ae35604 into camptocamp:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 16, 2012
  1. @ckaenzig
  2. @ckaenzig

    ssh::sftp::user: add switch to avoid managing directories

    ckaenzig authored
    Sftp users might be used to allow access to existing files and directories.
    In that case, we don't want this definition to create or modify any directory.
  3. @ckaenzig
This page is out of date. Refresh to see the latest.
Showing with 63 additions and 31 deletions.
  1. +63 −31 manifests/sftp/user.pp
View
94 manifests/sftp/user.pp
@@ -16,18 +16,27 @@
# [*ssh_options*]
# Key options, see sshd(8) for possible values
#
+# [*password*]
+# Set the user's password
+#
# [*present*]
# Define if this account is present or absent
#
# [*home*]
# The home directory of the user
#
+# [*manage_home*]
+# Select wether to manage the user's home directory
+#
# [*basedir*]
# This directory will be used to store files
#
# [*basedir_mode*]
# The desired permissions for the base directory
#
+# [*manage_basedir*]
+# Select wether to manage the directory given in the basedir parameter.
+#
# [*group*]
# The restricted sftp group name. Must be declared outside this definition.
#
@@ -42,51 +51,74 @@
# Mathieu Bornoz <mathieu.bornoz@camptocamp.com>
#
define ssh::sftp::user (
- $ssh_key,
- $ssh_type = 'ssh-rsa',
- $ssh_options = [],
- $ensure = 'present',
- $home = false,
- $basedir = 'uploads',
- $basedir_mode = '2775',
- $group = 'sftponly'
+ $ssh_key = false,
+ $ssh_type = 'ssh-rsa',
+ $ssh_options = [],
+ $password = false,
+ $ensure = 'present',
+ $home = false,
+ $basedir = 'uploads',
+ $basedir_mode = '2775',
+ $manage_home = true,
+ $manage_basedir = true,
+ $group = 'sftponly'
) {
+ $using_ssh_key = $ssh_key ? {
+ false => false,
+ default => true,
+ }
+
+ if ($using_ssh_key == false) and ($password == false) {
+ fail "Must specify at least one of 'password' or 'ssh_key' in ssh::sftp::user[$name]"
+ }
+
$user_home = $home ? {
false => "/home/${name}",
default => $home,
}
- file {$user_home:
- ensure => directory,
- owner => 'root',
- group => $group,
- mode => '0750',
+ if $manage_home {
+ file {$user_home:
+ ensure => directory,
+ owner => 'root',
+ group => $group,
+ mode => '0750',
+ }
+ }
+
+ $nologin_path = $lsbdistid ? {
+ /Debian|Ubuntu/ => '/usr/sbin/nologin',
+ /RedHat|CentOS/ => '/sbin/nologin',
}
user {$name:
- ensure => $ensure,
- home => $user_home,
- groups => $group,
- shell => '/usr/lib/sftp-server',
- require => File[$user_home]
+ ensure => $ensure,
+ password => $password ? { false => undef, default => $password },
+ home => $user_home,
+ groups => $group,
+ shell => $nologin_path,
}
- file {"${user_home}/${basedir}":
- ensure => directory,
- mode => $basedir_mode,
- owner => $name,
- group => $group,
- require => [ User[$name], Group[$group] ],
+ if $manage_basedir {
+ file {"${user_home}/${basedir}":
+ ensure => directory,
+ mode => $basedir_mode,
+ owner => $name,
+ group => $group,
+ require => [ User[$name], Group[$group] ],
+ }
}
- ssh_authorized_key {"sftponly_${name}":
- ensure => $ensure,
- user => $name,
- key => $ssh_key,
- type => $ssh_type,
- options => $ssh_options,
- require => User[$name],
+ if $using_ssk_key {
+ ssh_authorized_key {"sftponly_${name}":
+ ensure => $ensure,
+ user => $name,
+ key => $ssh_key,
+ type => $ssh_type,
+ options => $ssh_options,
+ require => User[$name],
+ }
}
augeas {"internal-sftp for ${name}":
Something went wrong with that request. Please try again.