Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

setting dstuser file ownership in __ssh_authorized_key #52

Closed
wants to merge 2 commits into from

2 participants

@nuex

I was having trouble logging in as a __ssh_authorized_key provisioned user after the /home/$dstuser/.ssh/authorized_key file was created, which I believe was due to permissions not being properly set on the $dstuser's files. This commit gives $dstuser (if defined) ownership of the .ssh directory and authorized_keys file, allowing them to log in.

conf/type/__ssh_authorized_key/manifest
@@ -46,9 +46,26 @@ else
sshpath="/root/.ssh"
fi
rsa=`cat $srcrsa`
-__directory $sshpath
-# the file authorized_keys depends on the .ssh folder
-require="__directory${sshpath}" __file "$sshpath/authorized_keys" --mode 640
+
+# if a destination user is defined, create the .ssh directory with
+# that user's ownership credentials
+if [ "$dstuser" ]; then
+ __directory $sshpath --owner $dstuser --group $dstuser --mode 700
+# if no destination user is defined, create the .ssh directory as root
@telmich Owner
telmich added a note

What about a group being different named then the user?

@telmich Owner
telmich added a note

I believe that using --owner could always be done (root or $dstuser)

I think we can even setup dstuser=root, if dstuser is not given

@nuex
nuex added a note

Maybe add a --ssh-directory-group parameter?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@telmich telmich closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 10, 2012
  1. @nuex
Commits on Apr 18, 2012
  1. @nuex
This page is out of date. Refresh to see the latest.
Showing with 22 additions and 25 deletions.
  1. +22 −25 conf/type/__ssh_authorized_key/manifest
View
47 conf/type/__ssh_authorized_key/manifest
@@ -22,34 +22,31 @@
# authorized_keys of another
#
#require="__package openssh-server --state installed"
-# Get option srcuser if defined
-if [ -f "$__object/parameter/srcuser" ]; then
- srcuser=`cat "$__object/parameter/srcuser"`
-fi
-# Get option dstuser if defined
-if [ -f "$__object/parameter/dstuser" ]; then
- dstuser=`cat "$__object/parameter/dstuser"`
-fi
-# if a source user is defined, use it's public key
-if [ "$srcuser" ]; then
- srcrsa="/home/${srcuser}/.ssh/id_rsa.pub"
-# if no source user is defined we use root's public key
+# If a source user was given, use its public key,
+# otherwise default to using root's public key.
+if [ -f "$__object/parameter/srcuser" ]; then
+ srcuser="$(cat "$__object/parameter/srcuser")"
+ pubkey="$(cat "/home/${srcuser}/.ssh/id_rsa.pub")"
else
- srcrsa="/root/.ssh/id_rsa.pub"
+ pubkey="$(cat /root/.ssh/id_rsa.pub)"
fi
-# if a destination user is defined, insert in it's authorized_keys
-if [ "$dstuser" ]; then
- sshpath="/home/$dstuser/.ssh"
-# if no destination user is defined we use root's home
+
+# Set the destination user and remote ssh directory.
+# Default to root if no destination user was given.
+if [ -f "$__object/parameter/dstuser" ]; then
+ dstuser="$(cat "$__object/parameter/dstuser")"
+ sshdir="/home/${dstuser}/.ssh"
else
- sshpath="/root/.ssh"
+ dstuser="root"
+ sshdir="/root/.ssh"
fi
-rsa=`cat $srcrsa`
-__directory $sshpath
-# the file authorized_keys depends on the .ssh folder
-require="__directory${sshpath}" __file "$sshpath/authorized_keys" --mode 640
-# the line added depends on authorized_keys existence
-require="__file${sshpath}/authorized_keys" __addifnosuchline sshkey --file \
- "$sshpath/authorized_keys" --line "$rsa"
+# Set up the remote ssh directory with correct permissions
+__directory $sshdir --owner $dstuser --mode 700
+require="__directory${sshdir}" __file "${sshdir}/authorized_keys" \
+ --owner $dstuser --mode 640
+
+# Add the pubkey to the destination user's authorized_keys file
+require="__file${sshdir}/authorized_keys" __addifnosuchline sshkey --file \
+ "${sshdir}/authorized_keys" --line "${pubkey}"
Something went wrong with that request. Please try again.