[Mageia-sysadm] [436] move the ldap key from ssh logic to openssh module ( more logical ), and add the hook in openssh config file

root at mageia.org root at mageia.org
Wed Nov 24 00:17:47 CET 2010


Revision: 436
Author:   misc
Date:     2010-11-24 00:17:47 +0100 (Wed, 24 Nov 2010)
Log Message:
-----------
move the ldap key from ssh logic to openssh module ( more logical ), and add the hook in openssh config file

Modified Paths:
--------------
    puppet/modules/openssh/manifests/init.pp
    puppet/modules/openssh/templates/sshd_config
    puppet/modules/restrictshell/manifests/init.pp

Modified: puppet/modules/openssh/manifests/init.pp
===================================================================
--- puppet/modules/openssh/manifests/init.pp	2010-11-23 23:17:46 UTC (rev 435)
+++ puppet/modules/openssh/manifests/init.pp	2010-11-23 23:17:47 UTC (rev 436)
@@ -22,4 +22,43 @@
         require => Package["openssh-server"],
         content => template("openssh/sshd_config")
     }
+
+ 
+    class ssh_keys_from_ldap {
+
+        package { 'python-ldap':
+            ensure => installed,
+        }
+
+        $pubkeys_directory = "/var/lib/pubkeys"
+        file { $pubkeys_directory:
+            ensure => directory,
+            owner => root,
+            group => root,
+            mode => 755,
+        #    before => Class["openssh"] 
+        }
+
+        file { "$pubkeys_directory/root":
+            ensure => directory,
+            owner => root,
+            group => root,
+            mode => 700,
+        }
+
+        file { "$pubkeys_directory/root/authorized_keys":
+            ensure => "/root/.ssh/authorized_keys",
+            mode => 700,
+        }
+
+        $ldap_pwfile = "/etc/ldap.secret"
+        file { '/usr/local/bin/ldap-sshkey2file.py':
+            ensure => present,
+            owner => root,
+            group => root,
+            mode => 755,
+            content => template("restrictshell/ldap-sshkey2file.py"),
+            require => Package['python-ldap']
+        }
+    } 
 }

Modified: puppet/modules/openssh/templates/sshd_config
===================================================================
--- puppet/modules/openssh/templates/sshd_config	2010-11-23 23:17:46 UTC (rev 435)
+++ puppet/modules/openssh/templates/sshd_config	2010-11-23 23:17:47 UTC (rev 436)
@@ -45,6 +45,11 @@
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 
+<% if all_tags.include?('openssh::ssh_keys_from_ldap')  %>
+AuthorizedKeysFile /var/lib/config/pubkeys/%u/authorized_keys
+<% end %>
+
+
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2

Modified: puppet/modules/restrictshell/manifests/init.pp
===================================================================
--- puppet/modules/restrictshell/manifests/init.pp	2010-11-23 23:17:46 UTC (rev 435)
+++ puppet/modules/restrictshell/manifests/init.pp	2010-11-23 23:17:47 UTC (rev 436)
@@ -23,44 +23,7 @@
             content => template("restrictshell/membersh-conf.pl"),
         }
     }
-    
-    class ssh_keys_from_ldap {
 
-        package { 'python-ldap':
-            ensure => installed,
-        }
-
-        $pubkeys_directory = "/var/lib/pubkeys"
-        file { $pubkeys_directory:
-            ensure => directory,
-            owner => root,
-            group => root,
-            mode => 755,
-        }
-
-        file { "$pubkeys_directory/root":
-            ensure => directory,
-            owner => root,
-            group => root,
-            mode => 700,
-        }
-
-        file { "$pubkeys_directory/root/authorized_keys":
-            ensure => "/root/.ssh/authorized_keys",
-            mode => 700,
-        }
-
-        $ldap_pwfile = "/etc/ldap.secret"
-        file { '/usr/local/bin/ldap-sshkey2file.py':
-            ensure => present,
-            owner => root,
-            group => root,
-            mode => 755,
-            content => template("restrictshell/ldap-sshkey2file.py"),
-            requires => Package['python-ldap']
-        } 
-    }
-
     define allow {
         include shell
         file { "/etc/membersh-conf.d/allow_$name.pl":
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101124/2bf5a314/attachment-0001.html>


More information about the Mageia-sysadm mailing list