Adding ability to specify custom ssh_key location #149
Conversation
|
The second commit attempts to clean up the code somewhat by putting ssh key management in a separate defined resource. It also adds some example code and updates the readme to detail usage. Spec test is still absent unfortunately. |
| @@ -17,7 +17,6 @@ | |||
| $forward_source = undef, | |||
| $mode = undef, | |||
| $ensure = 'present', | |||
| $sshkeys = [], | |||
There was a problem hiding this comment.
@ggeldenhuis Note this line here.
|
Revising my initial comment, I do believe now that this PR could be merged in terms of completeness. |
|
Ran on internal CI with no issues. |
|
Hey @ggeldenhuis There are a few minor changes I would like to suggest, other than that your changes look great and we would love to get this functionality added to our module.
Thank you for creating this PR :-) |
|
@pmcmaw would happy affix the changes, I just wanted to query the Strict Types syntax. No other parameter currently has strict type checking. I was thinking of perhaps sticking to older methods for now and the a separate refactor of the whole module to make use of strict type checking and moving it to puppet5. |
|
Just thinking any new features it would be great if they had the strict type checking as all the other manifests use validation functions to ensure that they are using the correct types. Also something to note is that puppet5 doesn't really have any large language changes. |
|
@pmcmaw I have done the following changes:
sshkeys will not be removed from the custom path if not set, since that implies puppet searching through the whole file system looking for keys in every file. sshkeys will also not be removed from the user's home directory if a custom path is set and purge_keys are set to true. Only keys from the custom path will be removed. I did consider modifying the behaviour to remove keys from both the user's home directory and the custom path but in the end that breaks expected behaviour, since you now remove keys from a location which you did not intend to manage. It could perhaps be an additional flag in the future. |
|
I tried |
|
Merging. |
eimlav
changed the title
This PR is not meant to be merged immediately but rather to kick of a discussion about the added functionality. It is currently missing spec tests but is otherwise properly functioning albeit undocumented.
In an ideal world the implementation should happen in the user class and the various but of ssh key functionality should be moved out of home_dir class. This implementation however achieves the functionality required with the minimum of changes.
In my PR I have made the assumption that when purge_sshkeys are set to true that the intent is to delete all user related keys. Thus if the user has specified a custom ssh key location, unspecified keys in the custom location and the user's home directory will be removed. I am not sure if it is worthwhile to offer a differentiated ability to purge custom and purge home directory. A potential alternative is to only purge custom specified directory.
I created PUP-8982 as a result of my testing. Additionally the ssh_authorized_key resource does not allow for changing the ownership of the sshkey file other than to the user for whom the key is being generated. This is a false assumption if you are storing keys in a different location and specifying AuthorizedKeysFile, AuthorizedKeysCommand and AuthorizedKeysCommandUser in sshd_config. Specifying these values in sshd_config allows you to centralise user ssh keys and disallow the user from modifying them.