Create user accounts instead of sharing root

[edunham]

SSH best practices is to fully disallow remote root login. To do that, we have to start by getting everyone logging in as themselves.

r? @aneeshusa

---

This change is

[asajeffrey]

Travis failures... https://travis-ci.org/servo/saltfs/jobs/116193785

https://gist.github.com/edunham/eb8f3bae70131e5d61df (edunham edited this comment, moving large code block into gist, to make thread easier to read)

[aneeshusa]

I've been waiting for this for so long :)

[aneeshusa]

This won't work on the Macs, I believe we'll need to use /Users instead of /home there. We should do this via a Jinja variable that we pull in from the map.jinja file. I think this is also causing the Travis failure.

[aneeshusa]

Is this sufficient to provide sudo privileges on OS X?

[edunham]

AFAICT, OSX's BSD roots show through here and wheel does the usual thing. https://discussions.apple.com/thread/2210858?start=0&tstart=0

[aneeshusa]

I'm ok with this for now (strictly better than status quo), but just wanted to leave a link to https://sourceforge.net/projects/pamsshagentauth/ as something I like to configure for password-less sudo that still has some security. I'm pretty sure there's nothing similar for OS X.

[aneeshusa]

We can combine this state with the previous one, so that they share the same ID.

[edunham]

As in going like this?

{{ssh_user}}
  user.present:                                                                 
    - createhome: True                                                          
    - optional_groups:                                                          
        - wheel                                                                 
    - empty_password: True
  ssh_auth.present:                                                             
    - user: {{ ssh_user }}                                                      
    - source: salt://{{ tpldir }}/ssh/{{ ssh_user }}.pub                

Sorry, still pretty new to Salt.

[aneeshusa]

Yup, that should work. Docs: https://docs.saltstack.com/en/2015.5/topics/tutorials/states_pt2.html#call-multiple-states

[aneeshusa]

Err, don't forget the colon after the {{ ssh_user }}: (in the id on the top line).

[aneeshusa]

After this lands, we should:

• update the wiki
• (probably as part of #254) add a state that removes root's authorized_keys file. It shouldn't matter with `PermitRootLogin no, but it's nice to have written down explicitly.

[aneeshusa]

Hmm, it seems GitHub has removed the ability to comment on individual commits. FYI: I like to use servo-macpro1 for testing OS X related things, since I can verify settings by hand afterwards.

[aneeshusa]

It looks like the Travis failures are because of the empty_password, which calls the shadow.del_password Salt function, which wasn't implemented for Mac until January of this year (and won't be available until Salt 2016.3). This module also implements setting passwords, so we can't set a (non-empty) password without it either.

We'll need to backport the module manually for now. Here's the docs if you want to give it a spin: https://docs.saltstack.com/en/2015.5/ref/modules/; let me know if you have questions.

[aneeshusa]

Another alternative to backporting the mac_shadow module would be enabling passwordless sudo, so that the passwords on user accounts don't matter.

[bors-servo]

☔ The latest upstream changes (presumably #577) made this pull request unmergeable. Please resolve the merge conflicts.

[edunham]

Superseded by #628. Feedback from here is now applied there.