Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upCreate user accounts instead of sharing root #253
Conversation
|
Travis failures... https://travis-ci.org/servo/saltfs/jobs/116193785 https://gist.github.com/edunham/eb8f3bae70131e5d61df (edunham edited this comment, moving large code block into gist, to make thread easier to read) |
|
I've been waiting for this for so long :) |
| @@ -45,8 +45,15 @@ host-{{ hostname }}: | |||
| {% endfor %} | |||
| {% for ssh_user in common.ssh_users %} | |||
| {{ ssh_user }}: | |||
| user.present: | |||
| - home: /home/{{ ssh_user }} | |||
This comment has been minimized.
This comment has been minimized.
aneeshusa
Mar 15, 2016
Member
This won't work on the Macs, I believe we'll need to use /Users instead of /home there. We should do this via a Jinja variable that we pull in from the map.jinja file. I think this is also causing the Travis failure.
| user.present: | ||
| - home: /home/{{ ssh_user }} | ||
| - optional_groups: | ||
| - wheel |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
edunham
Mar 15, 2016
Author
Contributor
AFAICT, OSX's BSD roots show through here and wheel does the usual thing. https://discussions.apple.com/thread/2210858?start=0&tstart=0
| - home: /home/{{ ssh_user }} | ||
| - optional_groups: | ||
| - wheel | ||
| - empty_password: True |
This comment has been minimized.
This comment has been minimized.
aneeshusa
Mar 15, 2016
Member
I'm ok with this for now (strictly better than status quo), but just wanted to leave a link to https://sourceforge.net/projects/pamsshagentauth/ as something I like to configure for password-less sudo that still has some security. I'm pretty sure there's nothing similar for OS X.
| - optional_groups: | ||
| - wheel | ||
| - empty_password: True | ||
| sshkey-{{ ssh_user }}: | ||
| ssh_auth.present: |
This comment has been minimized.
This comment has been minimized.
aneeshusa
Mar 15, 2016
Member
We can combine this state with the previous one, so that they share the same ID.
This comment has been minimized.
This comment has been minimized.
edunham
Mar 15, 2016
Author
Contributor
As in going like this?
{{ssh_user}}
user.present:
- createhome: True
- optional_groups:
- wheel
- empty_password: True
ssh_auth.present:
- user: {{ ssh_user }}
- source: salt://{{ tpldir }}/ssh/{{ ssh_user }}.pub
Sorry, still pretty new to Salt.
This comment has been minimized.
This comment has been minimized.
aneeshusa
Mar 15, 2016
Member
Yup, that should work. Docs: https://docs.saltstack.com/en/2015.5/topics/tutorials/states_pt2.html#call-multiple-states
This comment has been minimized.
This comment has been minimized.
aneeshusa
Mar 15, 2016
Member
Err, don't forget the colon after the {{ ssh_user }}: (in the id on the top line).
|
After this lands, we should:
|
|
Hmm, it seems GitHub has removed the ability to comment on individual commits. FYI: I like to use |
|
It looks like the Travis failures are because of the We'll need to backport the module manually for now. Here's the docs if you want to give it a spin: https://docs.saltstack.com/en/2015.5/ref/modules/; let me know if you have questions. |
|
Another alternative to backporting the |
|
|
|
Superseded by #628. Feedback from here is now applied there. |
edunham commentedMar 15, 2016
SSH best practices is to fully disallow remote root login. To do that, we have to start by getting everyone logging in as themselves.
r? @aneeshusa
This change is