From 0b64c47717c4483cc519e0f739bf0d4972f2277a Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Tue, 23 Nov 2010 23:17:47 +0000 Subject: move the ldap key from ssh logic to openssh module ( more logical ), and add the hook in openssh config file --- modules/openssh/manifests/init.pp | 39 +++++++++++++++++++++++++++++++++ modules/openssh/templates/sshd_config | 5 +++++ modules/restrictshell/manifests/init.pp | 37 ------------------------------- 3 files changed, 44 insertions(+), 37 deletions(-) (limited to 'modules') diff --git a/modules/openssh/manifests/init.pp b/modules/openssh/manifests/init.pp index e55660fd..d3d0c78c 100644 --- a/modules/openssh/manifests/init.pp +++ b/modules/openssh/manifests/init.pp @@ -22,4 +22,43 @@ class openssh { require => Package["openssh-server"], content => template("openssh/sshd_config") } + + + class ssh_keys_from_ldap { + + package { 'python-ldap': + ensure => installed, + } + + $pubkeys_directory = "/var/lib/pubkeys" + file { $pubkeys_directory: + ensure => directory, + owner => root, + group => root, + mode => 755, + # before => Class["openssh"] + } + + file { "$pubkeys_directory/root": + ensure => directory, + owner => root, + group => root, + mode => 700, + } + + file { "$pubkeys_directory/root/authorized_keys": + ensure => "/root/.ssh/authorized_keys", + mode => 700, + } + + $ldap_pwfile = "/etc/ldap.secret" + file { '/usr/local/bin/ldap-sshkey2file.py': + ensure => present, + owner => root, + group => root, + mode => 755, + content => template("restrictshell/ldap-sshkey2file.py"), + require => Package['python-ldap'] + } + } } diff --git a/modules/openssh/templates/sshd_config b/modules/openssh/templates/sshd_config index 76077504..d3f776e1 100644 --- a/modules/openssh/templates/sshd_config +++ b/modules/openssh/templates/sshd_config @@ -45,6 +45,11 @@ PermitRootLogin without-password #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys +<% if all_tags.include?('openssh::ssh_keys_from_ldap') %> +AuthorizedKeysFile /var/lib/config/pubkeys/%u/authorized_keys +<% end %> + + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp index c87664a7..faaa8bd0 100644 --- a/modules/restrictshell/manifests/init.pp +++ b/modules/restrictshell/manifests/init.pp @@ -23,43 +23,6 @@ class restrictshell { content => template("restrictshell/membersh-conf.pl"), } } - - class ssh_keys_from_ldap { - - package { 'python-ldap': - ensure => installed, - } - - $pubkeys_directory = "/var/lib/pubkeys" - file { $pubkeys_directory: - ensure => directory, - owner => root, - group => root, - mode => 755, - } - - file { "$pubkeys_directory/root": - ensure => directory, - owner => root, - group => root, - mode => 700, - } - - file { "$pubkeys_directory/root/authorized_keys": - ensure => "/root/.ssh/authorized_keys", - mode => 700, - } - - $ldap_pwfile = "/etc/ldap.secret" - file { '/usr/local/bin/ldap-sshkey2file.py': - ensure => present, - owner => root, - group => root, - mode => 755, - content => template("restrictshell/ldap-sshkey2file.py"), - requires => Package['python-ldap'] - } - } define allow { include shell -- cgit v1.2.1