[Mageia-sysadm] [367] really add ssh::auth

root at mageia.org root at mageia.org
Mon Nov 22 01:22:53 CET 2010


Revision: 367
Author:   blino
Date:     2010-11-22 01:22:53 +0100 (Mon, 22 Nov 2010)
Log Message:
-----------
really add ssh::auth

Added Paths:
-----------
    puppet/modules/ssh_auth/manifests/init.pp

Added: puppet/modules/ssh_auth/manifests/init.pp
===================================================================
--- puppet/modules/ssh_auth/manifests/init.pp	                        (rev 0)
+++ puppet/modules/ssh_auth/manifests/init.pp	2010-11-22 00:22:53 UTC (rev 367)
@@ -0,0 +1,336 @@
+# =========                                                 
+# ssh::auth                                                 
+# =========                                                 
+#                                                           
+# The latest official release and documentation for ssh::auth can always
+# be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
+#                                                                              
+# Version:          0.3.2                                                      
+# Release date:     2009-12-29                                                 
+
+class ssh::auth {
+
+$keymaster_storage = "/var/lib/keys" 
+
+Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
+Notify { withpath => false }                    
+
+
+##########################################################################
+
+
+# ssh::auth::key 
+
+# Declare keys.  The approach here is just to define a bunch of
+# virtual resources, representing key files on the keymaster, client,
+# and server.  The virtual keys are then realized by                 
+# ssh::auth::{keymaster,client,server}, respectively.  The reason for
+# doing things that way is that it makes ssh::auth::key into a "one  
+# stop shop" where users can declare their keys with all of their    
+# parameters, whether those parameters apply to the keymaster, server,
+# or client.  The real work of creating, installing, and removing keys
+# is done in the private definitions called by the virtual resources: 
+# ssh_auth_key_{master,server,client}.                                
+
+define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {                                                                                                                                                    
+
+  ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
+
+  # apply defaults
+  $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
+  $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }               
+  $_user = $user ? {                                                      
+    ""      => regsubst($title, '^([^@]*)@?.*$', '\1'),                   
+    default => $user,                                                     
+  }                                                                       
+  $_home = $home ? { "" => "/home/$_user",  default => $home }            
+
+  ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
+
+  @ssh_auth_key_master { $title:
+    ensure  => $ensure,         
+    force   => $force,          
+    keytype => $keytype,        
+    length  => $_length,        
+    maxdays => $maxdays,        
+    mindate => $mindate,        
+  }                             
+  @ssh_auth_key_client { $title:
+    ensure   => $ensure,        
+    filename => $_filename,     
+    group    => $group,         
+    home     => $_home,         
+    user     => $_user,         
+  }                             
+  @ssh_auth_key_server { $title:
+    ensure  => $ensure,         
+    group   => $group,          
+    home    => $_home,          
+    options => $options,        
+    user    => $_user,          
+  }                             
+}                               
+
+
+##########################################################################
+
+
+# ssh::auth::keymaster
+#                     
+# Keymaster host:     
+# Create key storage; create, regenerate, and remove key pairs
+
+class keymaster {
+
+  # Set up key storage
+
+  file { $ssh::auth::keymaster_storage:
+    ensure => directory,               
+    owner  => puppet,                  
+    group  => puppet,                  
+    mode   => 644,                     
+  }                                    
+                                       
+  # Realize all virtual master keys    
+  Ssh_auth_key_master <| |>            
+
+} # class keymaster
+
+
+##########################################################################
+
+
+# ssh::auth::client
+#                  
+# Install generated key pairs onto clients
+
+define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
+
+  # Realize the virtual client keys.
+  # Override the defaults set in ssh::auth::key, as needed.
+  if $ensure   { Ssh_auth_key_client <| title == $title |> { ensure   => $ensure   } }
+  if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
+  if $group    { Ssh_auth_key_client <| title == $title |> { group    => $group    } }
+
+  if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
+  if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }                       
+
+  realize Ssh_auth_key_client[$title]
+
+} # define client
+
+
+##########################################################################
+
+
+# ssh::auth::server
+#                  
+# Install public keys onto clients
+
+define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
+
+  # Realize the virtual server keys.
+  # Override the defaults set in ssh::auth::key, as needed.
+  if $ensure  { Ssh_auth_key_server <| title == $title |> { ensure  => $ensure  } }
+  if $group   { Ssh_auth_key_server <| title == $title |> { group   => $group   } }
+  if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
+
+  if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
+  if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }                       
+
+  realize Ssh_auth_key_server[$title]
+
+} # define server
+
+} # class ssh::auth
+
+
+##########################################################################
+
+
+# ssh_auth_key_master
+#                    
+# Create/regenerate/remove a key pair on the keymaster.
+# This definition is private, i.e. it is not intended to be called directly by users.
+# ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
+
+define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
+
+  Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
+  File {                                          
+    owner => puppet,                              
+    group => puppet,                              
+    mode  => 600,                                 
+  }                                               
+
+  $keydir = "${ssh::auth::keymaster_storage}/${title}"
+  $keyfile = "${keydir}/key"                          
+
+  file { 
+    "$keydir":
+      ensure => directory,
+      mode   => 644;      
+    "$keyfile":           
+      ensure => $ensure;  
+    "${keyfile}.pub":     
+      ensure => $ensure,  
+      mode   => 644;      
+  }                       
+
+  if $ensure == "present" {
+
+    # Remove the existing key pair, if
+    # * $force is true, or            
+    # * $maxdays or $mindate criteria aren't met, or
+    # * $keytype or $length have changed            
+
+    $keycontent = file("${keyfile}.pub", "/dev/null")
+    if $keycontent {                                 
+
+      if $force {
+        $reason = "force=true"
+      }                       
+      if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
+        $reason = "created before ${mindate}"                                                          
+      }                                                                                                
+      if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {      
+        $reason = "older than ${maxdays} days"                                                         
+      }                                                                                                
+      if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {                                   
+        if       $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }                        
+        else { if $length != $2 { $reason = "length changed: $2 -> $length" } }                        
+      }                                                                                                
+      if $reason {                                                                                     
+        exec { "Revoke previous key ${title}: ${reason}":                                              
+          command => "rm $keyfile ${keyfile}.pub",                                                     
+          before  => Exec["Create key $title: $keytype, $length bits"],                                
+        }                                                                                              
+      }                                                                                                
+    }                                                                                                  
+
+    # Create the key pair.
+    # We "repurpose" the comment field in public keys on the keymaster to
+    # store data about the key, i.e. $keytype and $length.  This avoids  
+    # having to rerun ssh-keygen -l on every key at every run to determine
+    # the key length.                                                     
+    exec { "Create key $title: $keytype, $length bits":                   
+      command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
+      user    => "puppet",                                                                                 
+      group   => "puppet",                                                                                 
+      creates => $keyfile,                                                                                 
+      require => File[$keydir],                                                                            
+      before  => File[$keyfile, "${keyfile}.pub"],                                                         
+    }                                                                                                      
+
+  } # if $ensure  == "present"
+
+} # define ssh_auth_key_master
+
+
+##########################################################################
+
+
+# ssh_auth_key_client
+#                    
+# Install a key pair into a user's account.
+# This definition is private, i.e. it is not intended to be called directly by users.
+
+define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
+
+  File {
+    owner   => $user,
+    group   => $group,
+    mode    => 600,   
+    require => [ User[$user], File[$home]],
+  }                                                    
+
+  $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
+  $key_tgt_file = "${home}/.ssh/${filename}" # on the client                       
+
+  $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
+  if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
+    $keytype = $1                                                         
+    $modulus = $2                                                         
+    file {                                                                
+      $key_tgt_file:                                                      
+        ensure  => $ensure,                                               
+        content => file($key_src_file, "/dev/null");                      
+      "${key_tgt_file}.pub":                                              
+        ensure  => $ensure,                                               
+        content => "$keytype $modulus $title\n",                          
+        mode    => 644;                                                   
+    }                                                                     
+  } else {                                                                
+    notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
+  }                                                                                                               
+
+} # define ssh_auth_key_client
+
+
+##########################################################################
+
+
+# ssh_auth_key_server
+#                    
+# Install a public key into a server user's authorized_keys(5) file.
+# This definition is private, i.e. it is not intended to be called directly by users.
+
+define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
+
+  # on the keymaster:
+  $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
+  $key_src_file = "${key_src_dir}/key.pub"                 
+  # on the server:                                         
+  $key_tgt_file = "${home}/.ssh/authorized_keys"           
+                                                           
+  File {                                                   
+    owner   => $user,                                      
+    group   => $group,                                     
+    require => User[$user],                                
+    mode    => 600,                                        
+  }                                                        
+  Ssh_authorized_key {                                     
+    user   => $user,                                       
+    target => $key_tgt_file,                               
+  }                                                        
+
+  if $ensure == "absent" {
+    ssh_authorized_key { $title: ensure => "absent" }
+  }                                                  
+  else {
+    $key_src_content = file($key_src_file, "/dev/null")
+    if ! $key_src_content {
+      notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
+    } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
+      err("Can't parse public key file $key_src_file")
+      notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
+    } else {
+      $keytype = $1
+      $modulus = $2
+      ssh_authorized_key { $title:
+        ensure  => "present",
+        type    => $keytype,
+        key     => $modulus,
+        options => $options ? { "" => undef, default => $options },
+      }
+    }} # if ... else ... else
+  } # if ... else
+
+} # define ssh_auth_key_server
+
+
+##########################################################################
+
+
+# ssh_auth_key_namecheck
+#
+# Check a name (e.g. key title or filename) for the allowed form
+
+define ssh_auth_key_namecheck ($parm, $value) {
+  if $value !~ /^[A-Za-z0-9]/ {
+    fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
+  }
+  if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
+    fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
+  }
+} # define namecheck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101122/0d8af62e/attachment-0001.html>


More information about the Mageia-sysadm mailing list