aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--modules/openssh/manifests/init.pp39
-rw-r--r--modules/openssh/templates/sshd_config5
-rw-r--r--modules/restrictshell/manifests/init.pp37
3 files changed, 44 insertions, 37 deletions
diff --git a/modules/openssh/manifests/init.pp b/modules/openssh/manifests/init.pp
index e55660fd..d3d0c78c 100644
--- a/modules/openssh/manifests/init.pp
+++ b/modules/openssh/manifests/init.pp
@@ -22,4 +22,43 @@ class openssh {
require => Package["openssh-server"],
content => template("openssh/sshd_config")
}
+
+
+ class ssh_keys_from_ldap {
+
+ package { 'python-ldap':
+ ensure => installed,
+ }
+
+ $pubkeys_directory = "/var/lib/pubkeys"
+ file { $pubkeys_directory:
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => 755,
+ # before => Class["openssh"]
+ }
+
+ file { "$pubkeys_directory/root":
+ ensure => directory,
+ owner => root,
+ group => root,
+ mode => 700,
+ }
+
+ file { "$pubkeys_directory/root/authorized_keys":
+ ensure => "/root/.ssh/authorized_keys",
+ mode => 700,
+ }
+
+ $ldap_pwfile = "/etc/ldap.secret"
+ file { '/usr/local/bin/ldap-sshkey2file.py':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 755,
+ content => template("restrictshell/ldap-sshkey2file.py"),
+ require => Package['python-ldap']
+ }
+ }
}
diff --git a/modules/openssh/templates/sshd_config b/modules/openssh/templates/sshd_config
index 76077504..d3f776e1 100644
--- a/modules/openssh/templates/sshd_config
+++ b/modules/openssh/templates/sshd_config
@@ -45,6 +45,11 @@ PermitRootLogin without-password
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+<% if all_tags.include?('openssh::ssh_keys_from_ldap') %>
+AuthorizedKeysFile /var/lib/config/pubkeys/%u/authorized_keys
+<% end %>
+
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp
index c87664a7..faaa8bd0 100644
--- a/modules/restrictshell/manifests/init.pp
+++ b/modules/restrictshell/manifests/init.pp
@@ -23,43 +23,6 @@ class restrictshell {
content => template("restrictshell/membersh-conf.pl"),
}
}
-
- class ssh_keys_from_ldap {
-
- package { 'python-ldap':
- ensure => installed,
- }
-
- $pubkeys_directory = "/var/lib/pubkeys"
- file { $pubkeys_directory:
- ensure => directory,
- owner => root,
- group => root,
- mode => 755,
- }
-
- file { "$pubkeys_directory/root":
- ensure => directory,
- owner => root,
- group => root,
- mode => 700,
- }
-
- file { "$pubkeys_directory/root/authorized_keys":
- ensure => "/root/.ssh/authorized_keys",
- mode => 700,
- }
-
- $ldap_pwfile = "/etc/ldap.secret"
- file { '/usr/local/bin/ldap-sshkey2file.py':
- ensure => present,
- owner => root,
- group => root,
- mode => 755,
- content => template("restrictshell/ldap-sshkey2file.py"),
- requires => Package['python-ldap']
- }
- }
define allow {
include shell