1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
class restrictshell {
class shell {
file {"/etc/membersh-conf.d":
ensure => directory,
owner => root,
group => root,
mode => 755,
}
file { '/usr/local/bin/sv_membersh.pl':
ensure => present,
owner => root,
group => root,
mode => 755,
content => template("restrictshell/sv_membersh.pl"),
}
file { '/etc/membersh-conf.pl':
ensure => present,
owner => root,
group => root,
mode => 755,
content => template("restrictshell/membersh-conf.pl"),
}
}
class ssh_keys_from_ldap {
package { 'python-ldap':
ensure => installed,
}
$pubkeys_directory = "/var/lib/pubkeys"
file { $pubkeys_directory:
ensure => directory,
owner => root,
group => root,
mode => 755,
}
file { "$pubkeys_directory/root":
ensure => directory,
owner => root,
group => root,
mode => 700,
}
file { "$pubkeys_directory/root/authorized_keys":
ensure => "/root/.ssh/authorized_keys",
mode => 700,
}
$ldap_pwfile = "/etc/ldap.secret"
file { '/usr/local/bin/ldap-sshkey2file.py':
ensure => present,
owner => root,
group => root,
mode => 755,
content => template("restrictshell/ldap-sshkey2file.py"),
requires => Package['python-ldap']
}
}
define allow {
include shell
file { "/etc/membersh-conf.d/allow_$name.pl":
ensure => "present",
owner => root,
group => root,
mode => 755,
content => "\$use_$name = 1;\n",
}
}
# yes, we could directly use the allow, but this is
# a nicer syntax
class allow_git {
allow{ "git": }
}
class allow_rsync {
allow{ "rsync": }
}
class allow_pkgsubmit {
allow{ "pkgsubmit": }
}
class allow_svn {
allow{ "svn": }
}
class allow_scp {
allow{ "scp": }
}
class allow_sftp {
allow{ "sftp": }
}
# technically, we could add cvs too
# but I doubt we will use it one day
}
|
