[Mageia-sysadm] [745] move ssh::auth module to external as this is a external module ( so we can more easily keep track of it )
root at mageia.org
root at mageia.org
Sun Jan 9 12:15:12 CET 2011
Revision: 745
Author: misc
Date: 2011-01-09 12:15:12 +0100 (Sun, 09 Jan 2011)
Log Message:
-----------
move ssh::auth module to external as this is a external module ( so we can more easily keep track of it )
Added Paths:
-----------
puppet/external/
puppet/external/ssh/
puppet/external/ssh/manifests/
puppet/external/ssh/manifests/auth.pp
Removed Paths:
-------------
puppet/modules/ssh/manifests/auth.pp
Copied: puppet/external/ssh/manifests/auth.pp (from rev 744, puppet/modules/ssh/manifests/auth.pp)
===================================================================
--- puppet/external/ssh/manifests/auth.pp (rev 0)
+++ puppet/external/ssh/manifests/auth.pp 2011-01-09 11:15:12 UTC (rev 745)
@@ -0,0 +1,336 @@
+# =========
+# ssh::auth
+# =========
+#
+# The latest official release and documentation for ssh::auth can always
+# be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
+#
+# Version: 0.3.2
+# Release date: 2009-12-29
+
+class ssh::auth {
+
+$keymaster_storage = "/var/lib/keys"
+
+Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
+Notify { withpath => false }
+
+
+##########################################################################
+
+
+# ssh::auth::key
+
+# Declare keys. The approach here is just to define a bunch of
+# virtual resources, representing key files on the keymaster, client,
+# and server. The virtual keys are then realized by
+# ssh::auth::{keymaster,client,server}, respectively. The reason for
+# doing things that way is that it makes ssh::auth::key into a "one
+# stop shop" where users can declare their keys with all of their
+# parameters, whether those parameters apply to the keymaster, server,
+# or client. The real work of creating, installing, and removing keys
+# is done in the private definitions called by the virtual resources:
+# ssh_auth_key_{master,server,client}.
+
+define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
+
+ ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
+
+ # apply defaults
+ $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
+ $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }
+ $_user = $user ? {
+ "" => regsubst($title, '^([^@]*)@?.*$', '\1'),
+ default => $user,
+ }
+ $_home = $home ? { "" => "/home/$_user", default => $home }
+
+ ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
+
+ @ssh_auth_key_master { $title:
+ ensure => $ensure,
+ force => $force,
+ keytype => $keytype,
+ length => $_length,
+ maxdays => $maxdays,
+ mindate => $mindate,
+ }
+ @ssh_auth_key_client { $title:
+ ensure => $ensure,
+ filename => $_filename,
+ group => $group,
+ home => $_home,
+ user => $_user,
+ }
+ @ssh_auth_key_server { $title:
+ ensure => $ensure,
+ group => $group,
+ home => $_home,
+ options => $options,
+ user => $_user,
+ }
+}
+
+
+##########################################################################
+
+
+# ssh::auth::keymaster
+#
+# Keymaster host:
+# Create key storage; create, regenerate, and remove key pairs
+
+class keymaster {
+
+ # Set up key storage
+
+ file { $ssh::auth::keymaster_storage:
+ ensure => directory,
+ owner => puppet,
+ group => puppet,
+ mode => 644,
+ }
+
+ # Realize all virtual master keys
+ Ssh_auth_key_master <| |>
+
+} # class keymaster
+
+
+##########################################################################
+
+
+# ssh::auth::client
+#
+# Install generated key pairs onto clients
+
+define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
+
+ # Realize the virtual client keys.
+ # Override the defaults set in ssh::auth::key, as needed.
+ if $ensure { Ssh_auth_key_client <| title == $title |> { ensure => $ensure } }
+ if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
+ if $group { Ssh_auth_key_client <| title == $title |> { group => $group } }
+
+ if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
+ if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }
+
+ realize Ssh_auth_key_client[$title]
+
+} # define client
+
+
+##########################################################################
+
+
+# ssh::auth::server
+#
+# Install public keys onto clients
+
+define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
+
+ # Realize the virtual server keys.
+ # Override the defaults set in ssh::auth::key, as needed.
+ if $ensure { Ssh_auth_key_server <| title == $title |> { ensure => $ensure } }
+ if $group { Ssh_auth_key_server <| title == $title |> { group => $group } }
+ if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
+
+ if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
+ if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }
+
+ realize Ssh_auth_key_server[$title]
+
+} # define server
+
+} # class ssh::auth
+
+
+##########################################################################
+
+
+# ssh_auth_key_master
+#
+# Create/regenerate/remove a key pair on the keymaster.
+# This definition is private, i.e. it is not intended to be called directly by users.
+# ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
+
+define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
+
+ Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
+ File {
+ owner => puppet,
+ group => puppet,
+ mode => 600,
+ }
+
+ $keydir = "${ssh::auth::keymaster_storage}/${title}"
+ $keyfile = "${keydir}/key"
+
+ file {
+ "$keydir":
+ ensure => directory,
+ mode => 644;
+ "$keyfile":
+ ensure => $ensure;
+ "${keyfile}.pub":
+ ensure => $ensure,
+ mode => 644;
+ }
+
+ if $ensure == "present" {
+
+ # Remove the existing key pair, if
+ # * $force is true, or
+ # * $maxdays or $mindate criteria aren't met, or
+ # * $keytype or $length have changed
+
+ $keycontent = file("${keyfile}.pub", "/dev/null")
+ if $keycontent {
+
+ if $force {
+ $reason = "force=true"
+ }
+ if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
+ $reason = "created before ${mindate}"
+ }
+ if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
+ $reason = "older than ${maxdays} days"
+ }
+ if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
+ if $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }
+ else { if $length != $2 { $reason = "length changed: $2 -> $length" } }
+ }
+ if $reason {
+ exec { "Revoke previous key ${title}: ${reason}":
+ command => "rm $keyfile ${keyfile}.pub",
+ before => Exec["Create key $title: $keytype, $length bits"],
+ }
+ }
+ }
+
+ # Create the key pair.
+ # We "repurpose" the comment field in public keys on the keymaster to
+ # store data about the key, i.e. $keytype and $length. This avoids
+ # having to rerun ssh-keygen -l on every key at every run to determine
+ # the key length.
+ exec { "Create key $title: $keytype, $length bits":
+ command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
+ user => "puppet",
+ group => "puppet",
+ creates => $keyfile,
+ require => File[$keydir],
+ before => File[$keyfile, "${keyfile}.pub"],
+ }
+
+ } # if $ensure == "present"
+
+} # define ssh_auth_key_master
+
+
+##########################################################################
+
+
+# ssh_auth_key_client
+#
+# Install a key pair into a user's account.
+# This definition is private, i.e. it is not intended to be called directly by users.
+
+define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
+
+ File {
+ owner => $user,
+ group => $group,
+ mode => 600,
+ require => [ User[$user], File[$home]],
+ }
+
+ $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
+ $key_tgt_file = "${home}/.ssh/${filename}" # on the client
+
+ $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
+ if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
+ $keytype = $1
+ $modulus = $2
+ file {
+ $key_tgt_file:
+ ensure => $ensure,
+ content => file($key_src_file, "/dev/null");
+ "${key_tgt_file}.pub":
+ ensure => $ensure,
+ content => "$keytype $modulus $title\n",
+ mode => 644;
+ }
+ } else {
+ notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
+ }
+
+} # define ssh_auth_key_client
+
+
+##########################################################################
+
+
+# ssh_auth_key_server
+#
+# Install a public key into a server user's authorized_keys(5) file.
+# This definition is private, i.e. it is not intended to be called directly by users.
+
+define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
+
+ # on the keymaster:
+ $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
+ $key_src_file = "${key_src_dir}/key.pub"
+ # on the server:
+ $key_tgt_file = "${home}/.ssh/authorized_keys"
+
+ File {
+ owner => $user,
+ group => $group,
+ require => User[$user],
+ mode => 600,
+ }
+ Ssh_authorized_key {
+ user => $user,
+ target => $key_tgt_file,
+ }
+
+ if $ensure == "absent" {
+ ssh_authorized_key { $title: ensure => "absent" }
+ }
+ else {
+ $key_src_content = file($key_src_file, "/dev/null")
+ if ! $key_src_content {
+ notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
+ } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
+ err("Can't parse public key file $key_src_file")
+ notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
+ } else {
+ $keytype = $1
+ $modulus = $2
+ ssh_authorized_key { $title:
+ ensure => "present",
+ type => $keytype,
+ key => $modulus,
+ options => $options ? { "" => undef, default => $options },
+ }
+ }} # if ... else ... else
+ } # if ... else
+
+} # define ssh_auth_key_server
+
+
+##########################################################################
+
+
+# ssh_auth_key_namecheck
+#
+# Check a name (e.g. key title or filename) for the allowed form
+
+define ssh_auth_key_namecheck ($parm, $value) {
+ if $value !~ /^[A-Za-z0-9]/ {
+ fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
+ }
+ if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
+ fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
+ }
+} # define namecheck
Deleted: puppet/modules/ssh/manifests/auth.pp
===================================================================
--- puppet/modules/ssh/manifests/auth.pp 2011-01-09 11:15:11 UTC (rev 744)
+++ puppet/modules/ssh/manifests/auth.pp 2011-01-09 11:15:12 UTC (rev 745)
@@ -1,336 +0,0 @@
-# =========
-# ssh::auth
-# =========
-#
-# The latest official release and documentation for ssh::auth can always
-# be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth .
-#
-# Version: 0.3.2
-# Release date: 2009-12-29
-
-class ssh::auth {
-
-$keymaster_storage = "/var/lib/keys"
-
-Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
-Notify { withpath => false }
-
-
-##########################################################################
-
-
-# ssh::auth::key
-
-# Declare keys. The approach here is just to define a bunch of
-# virtual resources, representing key files on the keymaster, client,
-# and server. The virtual keys are then realized by
-# ssh::auth::{keymaster,client,server}, respectively. The reason for
-# doing things that way is that it makes ssh::auth::key into a "one
-# stop shop" where users can declare their keys with all of their
-# parameters, whether those parameters apply to the keymaster, server,
-# or client. The real work of creating, installing, and removing keys
-# is done in the private definitions called by the virtual resources:
-# ssh_auth_key_{master,server,client}.
-
-define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") {
-
- ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title }
-
- # apply defaults
- $_filename = $filename ? { "" => "id_${keytype}", default => $filename }
- $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 }
- $_user = $user ? {
- "" => regsubst($title, '^([^@]*)@?.*$', '\1'),
- default => $user,
- }
- $_home = $home ? { "" => "/home/$_user", default => $home }
-
- ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename }
-
- @ssh_auth_key_master { $title:
- ensure => $ensure,
- force => $force,
- keytype => $keytype,
- length => $_length,
- maxdays => $maxdays,
- mindate => $mindate,
- }
- @ssh_auth_key_client { $title:
- ensure => $ensure,
- filename => $_filename,
- group => $group,
- home => $_home,
- user => $_user,
- }
- @ssh_auth_key_server { $title:
- ensure => $ensure,
- group => $group,
- home => $_home,
- options => $options,
- user => $_user,
- }
-}
-
-
-##########################################################################
-
-
-# ssh::auth::keymaster
-#
-# Keymaster host:
-# Create key storage; create, regenerate, and remove key pairs
-
-class keymaster {
-
- # Set up key storage
-
- file { $ssh::auth::keymaster_storage:
- ensure => directory,
- owner => puppet,
- group => puppet,
- mode => 644,
- }
-
- # Realize all virtual master keys
- Ssh_auth_key_master <| |>
-
-} # class keymaster
-
-
-##########################################################################
-
-
-# ssh::auth::client
-#
-# Install generated key pairs onto clients
-
-define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") {
-
- # Realize the virtual client keys.
- # Override the defaults set in ssh::auth::key, as needed.
- if $ensure { Ssh_auth_key_client <| title == $title |> { ensure => $ensure } }
- if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } }
- if $group { Ssh_auth_key_client <| title == $title |> { group => $group } }
-
- if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } }
- if $home { Ssh_auth_key_client <| title == $title |> { home => $home } }
-
- realize Ssh_auth_key_client[$title]
-
-} # define client
-
-
-##########################################################################
-
-
-# ssh::auth::server
-#
-# Install public keys onto clients
-
-define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") {
-
- # Realize the virtual server keys.
- # Override the defaults set in ssh::auth::key, as needed.
- if $ensure { Ssh_auth_key_server <| title == $title |> { ensure => $ensure } }
- if $group { Ssh_auth_key_server <| title == $title |> { group => $group } }
- if $options { Ssh_auth_key_server <| title == $title |> { options => $options } }
-
- if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } }
- if $home { Ssh_auth_key_server <| title == $title |> { home => $home } }
-
- realize Ssh_auth_key_server[$title]
-
-} # define server
-
-} # class ssh::auth
-
-
-##########################################################################
-
-
-# ssh_auth_key_master
-#
-# Create/regenerate/remove a key pair on the keymaster.
-# This definition is private, i.e. it is not intended to be called directly by users.
-# ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster.
-
-define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) {
-
- Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
- File {
- owner => puppet,
- group => puppet,
- mode => 600,
- }
-
- $keydir = "${ssh::auth::keymaster_storage}/${title}"
- $keyfile = "${keydir}/key"
-
- file {
- "$keydir":
- ensure => directory,
- mode => 644;
- "$keyfile":
- ensure => $ensure;
- "${keyfile}.pub":
- ensure => $ensure,
- mode => 644;
- }
-
- if $ensure == "present" {
-
- # Remove the existing key pair, if
- # * $force is true, or
- # * $maxdays or $mindate criteria aren't met, or
- # * $keytype or $length have changed
-
- $keycontent = file("${keyfile}.pub", "/dev/null")
- if $keycontent {
-
- if $force {
- $reason = "force=true"
- }
- if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
- $reason = "created before ${mindate}"
- }
- if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
- $reason = "older than ${maxdays} days"
- }
- if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
- if $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" }
- else { if $length != $2 { $reason = "length changed: $2 -> $length" } }
- }
- if $reason {
- exec { "Revoke previous key ${title}: ${reason}":
- command => "rm $keyfile ${keyfile}.pub",
- before => Exec["Create key $title: $keytype, $length bits"],
- }
- }
- }
-
- # Create the key pair.
- # We "repurpose" the comment field in public keys on the keymaster to
- # store data about the key, i.e. $keytype and $length. This avoids
- # having to rerun ssh-keygen -l on every key at every run to determine
- # the key length.
- exec { "Create key $title: $keytype, $length bits":
- command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
- user => "puppet",
- group => "puppet",
- creates => $keyfile,
- require => File[$keydir],
- before => File[$keyfile, "${keyfile}.pub"],
- }
-
- } # if $ensure == "present"
-
-} # define ssh_auth_key_master
-
-
-##########################################################################
-
-
-# ssh_auth_key_client
-#
-# Install a key pair into a user's account.
-# This definition is private, i.e. it is not intended to be called directly by users.
-
-define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) {
-
- File {
- owner => $user,
- group => $group,
- mode => 600,
- require => [ User[$user], File[$home]],
- }
-
- $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster
- $key_tgt_file = "${home}/.ssh/${filename}" # on the client
-
- $key_src_content_pub = file("${key_src_file}.pub", "/dev/null")
- if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ {
- $keytype = $1
- $modulus = $2
- file {
- $key_tgt_file:
- ensure => $ensure,
- content => file($key_src_file, "/dev/null");
- "${key_tgt_file}.pub":
- ensure => $ensure,
- content => "$keytype $modulus $title\n",
- mode => 644;
- }
- } else {
- notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
- }
-
-} # define ssh_auth_key_client
-
-
-##########################################################################
-
-
-# ssh_auth_key_server
-#
-# Install a public key into a server user's authorized_keys(5) file.
-# This definition is private, i.e. it is not intended to be called directly by users.
-
-define ssh_auth_key_server ($ensure, $group, $home, $options, $user) {
-
- # on the keymaster:
- $key_src_dir = "${ssh::auth::keymaster_storage}/${title}"
- $key_src_file = "${key_src_dir}/key.pub"
- # on the server:
- $key_tgt_file = "${home}/.ssh/authorized_keys"
-
- File {
- owner => $user,
- group => $group,
- require => User[$user],
- mode => 600,
- }
- Ssh_authorized_key {
- user => $user,
- target => $key_tgt_file,
- }
-
- if $ensure == "absent" {
- ssh_authorized_key { $title: ensure => "absent" }
- }
- else {
- $key_src_content = file($key_src_file, "/dev/null")
- if ! $key_src_content {
- notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": }
- } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
- err("Can't parse public key file $key_src_file")
- notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": }
- } else {
- $keytype = $1
- $modulus = $2
- ssh_authorized_key { $title:
- ensure => "present",
- type => $keytype,
- key => $modulus,
- options => $options ? { "" => undef, default => $options },
- }
- }} # if ... else ... else
- } # if ... else
-
-} # define ssh_auth_key_server
-
-
-##########################################################################
-
-
-# ssh_auth_key_namecheck
-#
-# Check a name (e.g. key title or filename) for the allowed form
-
-define ssh_auth_key_namecheck ($parm, $value) {
- if $value !~ /^[A-Za-z0-9]/ {
- fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit")
- }
- if $value !~ /^[A-Za-z0-9_.:@-]+$/ {
- fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-")
- }
-} # define namecheck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20110109/99b92635/attachment-0001.html>
More information about the Mageia-sysadm
mailing list