diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/attachments/20101122/0d8af62e/attachment-0001.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/attachments/20101122/0d8af62e/attachment-0001.html | 405 |
1 files changed, 405 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/attachments/20101122/0d8af62e/attachment-0001.html b/zarb-ml/mageia-sysadm/attachments/20101122/0d8af62e/attachment-0001.html new file mode 100644 index 000000000..ddf9b0c9f --- /dev/null +++ b/zarb-ml/mageia-sysadm/attachments/20101122/0d8af62e/attachment-0001.html @@ -0,0 +1,405 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" +"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /> +<title>[367] really add ssh::auth</title> +</head> +<body> + +<style type="text/css"><!-- +#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; } +#msg dl.meta dt { float: left; width: 6em; font-weight: bold; } +#msg dt:after { content:':';} +#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; } +#msg dl a { font-weight: bold} +#msg dl a:link { color:#fc3; } +#msg dl a:active { color:#ff0; } +#msg dl a:visited { color:#cc6; } +h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; } +#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; } +#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; } +#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; } +#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; } +#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; } +#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } +#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; } +#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; } +#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; } +#logmsg pre { background: #eee; padding: 1em; } +#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;} +#logmsg dl { margin: 0; } +#logmsg dt { font-weight: bold; } +#logmsg dd { margin: 0; padding: 0 0 0.5em 0; } +#logmsg dd:before { content:'\00bb';} +#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; } +#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; } +#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; } +#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; } +#logmsg table th.Corner { text-align: left; } +#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; } +#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; } +#patch { width: 100%; } +--></style> +<div id="msg"> +<dl class="meta"> +<dt>Revision</dt> <dd>367</dd> +<dt>Author</dt> <dd>blino</dd> +<dt>Date</dt> <dd>2010-11-22 01:22:53 +0100 (Mon, 22 Nov 2010)</dd> +</dl> + +<h3>Log Message</h3> +<pre>really add ssh::auth</pre> + +<h3>Added Paths</h3> +<ul> +<li><a href="#puppetmodulesssh_authmanifestsinitpp">puppet/modules/ssh_auth/manifests/init.pp</a></li> +</ul> + +</div> +<div id="patch"><pre> +<a id="puppetmodulesssh_authmanifestsinitpp">Added: puppet/modules/ssh_auth/manifests/init.pp</a> +=================================================================== +--- puppet/modules/ssh_auth/manifests/init.pp (rev 0) ++++ puppet/modules/ssh_auth/manifests/init.pp 2010-11-22 00:22:53 UTC (rev 367) +@@ -0,0 +1,336 @@ ++# ========= ++# ssh::auth ++# ========= ++# ++# The latest official release and documentation for ssh::auth can always ++# be found at http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth . ++# ++# Version: 0.3.2 ++# Release date: 2009-12-29 ++ ++class ssh::auth { ++ ++$keymaster_storage = "/var/lib/keys" ++ ++Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" } ++Notify { withpath => false } ++ ++ ++########################################################################## ++ ++ ++# ssh::auth::key ++ ++# Declare keys. The approach here is just to define a bunch of ++# virtual resources, representing key files on the keymaster, client, ++# and server. The virtual keys are then realized by ++# ssh::auth::{keymaster,client,server}, respectively. The reason for ++# doing things that way is that it makes ssh::auth::key into a "one ++# stop shop" where users can declare their keys with all of their ++# parameters, whether those parameters apply to the keymaster, server, ++# or client. The real work of creating, installing, and removing keys ++# is done in the private definitions called by the virtual resources: ++# ssh_auth_key_{master,server,client}. ++ ++define key ($ensure = "present", $filename = "", $force = false, $group = "puppet", $home = "", $keytype = "rsa", $length = 2048, $maxdays = "", $mindate = "", $options = "", $user = "") { ++ ++ ssh_auth_key_namecheck { "${title}-title": parm => "title", value => $title } ++ ++ # apply defaults ++ $_filename = $filename ? { "" => "id_${keytype}", default => $filename } ++ $_length = $keytype ? { "rsa" => $length, "dsa" => 1024 } ++ $_user = $user ? { ++ "" => regsubst($title, '^([^@]*)@?.*$', '\1'), ++ default => $user, ++ } ++ $_home = $home ? { "" => "/home/$_user", default => $home } ++ ++ ssh_auth_key_namecheck { "${title}-filename": parm => "filename", value => $_filename } ++ ++ @ssh_auth_key_master { $title: ++ ensure => $ensure, ++ force => $force, ++ keytype => $keytype, ++ length => $_length, ++ maxdays => $maxdays, ++ mindate => $mindate, ++ } ++ @ssh_auth_key_client { $title: ++ ensure => $ensure, ++ filename => $_filename, ++ group => $group, ++ home => $_home, ++ user => $_user, ++ } ++ @ssh_auth_key_server { $title: ++ ensure => $ensure, ++ group => $group, ++ home => $_home, ++ options => $options, ++ user => $_user, ++ } ++} ++ ++ ++########################################################################## ++ ++ ++# ssh::auth::keymaster ++# ++# Keymaster host: ++# Create key storage; create, regenerate, and remove key pairs ++ ++class keymaster { ++ ++ # Set up key storage ++ ++ file { $ssh::auth::keymaster_storage: ++ ensure => directory, ++ owner => puppet, ++ group => puppet, ++ mode => 644, ++ } ++ ++ # Realize all virtual master keys ++ Ssh_auth_key_master <| |> ++ ++} # class keymaster ++ ++ ++########################################################################## ++ ++ ++# ssh::auth::client ++# ++# Install generated key pairs onto clients ++ ++define client ($ensure = "", $filename = "", $group = "", $home = "", $user = "") { ++ ++ # Realize the virtual client keys. ++ # Override the defaults set in ssh::auth::key, as needed. ++ if $ensure { Ssh_auth_key_client <| title == $title |> { ensure => $ensure } } ++ if $filename { Ssh_auth_key_client <| title == $title |> { filename => $filename } } ++ if $group { Ssh_auth_key_client <| title == $title |> { group => $group } } ++ ++ if $user { Ssh_auth_key_client <| title == $title |> { user => $user, home => "/home/$user" } } ++ if $home { Ssh_auth_key_client <| title == $title |> { home => $home } } ++ ++ realize Ssh_auth_key_client[$title] ++ ++} # define client ++ ++ ++########################################################################## ++ ++ ++# ssh::auth::server ++# ++# Install public keys onto clients ++ ++define server ($ensure = "", $group = "", $home = "", $options = "", $user = "") { ++ ++ # Realize the virtual server keys. ++ # Override the defaults set in ssh::auth::key, as needed. ++ if $ensure { Ssh_auth_key_server <| title == $title |> { ensure => $ensure } } ++ if $group { Ssh_auth_key_server <| title == $title |> { group => $group } } ++ if $options { Ssh_auth_key_server <| title == $title |> { options => $options } } ++ ++ if $user { Ssh_auth_key_server <| title == $title |> { user => $user, home => "/home/$user" } } ++ if $home { Ssh_auth_key_server <| title == $title |> { home => $home } } ++ ++ realize Ssh_auth_key_server[$title] ++ ++} # define server ++ ++} # class ssh::auth ++ ++ ++########################################################################## ++ ++ ++# ssh_auth_key_master ++# ++# Create/regenerate/remove a key pair on the keymaster. ++# This definition is private, i.e. it is not intended to be called directly by users. ++# ssh::auth::key calls it to create virtual keys, which are realized in ssh::auth::keymaster. ++ ++define ssh_auth_key_master ($ensure, $force, $keytype, $length, $maxdays, $mindate) { ++ ++ Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" } ++ File { ++ owner => puppet, ++ group => puppet, ++ mode => 600, ++ } ++ ++ $keydir = "${ssh::auth::keymaster_storage}/${title}" ++ $keyfile = "${keydir}/key" ++ ++ file { ++ "$keydir": ++ ensure => directory, ++ mode => 644; ++ "$keyfile": ++ ensure => $ensure; ++ "${keyfile}.pub": ++ ensure => $ensure, ++ mode => 644; ++ } ++ ++ if $ensure == "present" { ++ ++ # Remove the existing key pair, if ++ # * $force is true, or ++ # * $maxdays or $mindate criteria aren't met, or ++ # * $keytype or $length have changed ++ ++ $keycontent = file("${keyfile}.pub", "/dev/null") ++ if $keycontent { ++ ++ if $force { ++ $reason = "force=true" ++ } ++ if !$reason and $mindate and generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") { ++ $reason = "created before ${mindate}" ++ } ++ if !$reason and $maxdays and generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") { ++ $reason = "older than ${maxdays} days" ++ } ++ if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ { ++ if $keytype != $1 { $reason = "keytype changed: $1 -> $keytype" } ++ else { if $length != $2 { $reason = "length changed: $2 -> $length" } } ++ } ++ if $reason { ++ exec { "Revoke previous key ${title}: ${reason}": ++ command => "rm $keyfile ${keyfile}.pub", ++ before => Exec["Create key $title: $keytype, $length bits"], ++ } ++ } ++ } ++ ++ # Create the key pair. ++ # We "repurpose" the comment field in public keys on the keymaster to ++ # store data about the key, i.e. $keytype and $length. This avoids ++ # having to rerun ssh-keygen -l on every key at every run to determine ++ # the key length. ++ exec { "Create key $title: $keytype, $length bits": ++ command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"", ++ user => "puppet", ++ group => "puppet", ++ creates => $keyfile, ++ require => File[$keydir], ++ before => File[$keyfile, "${keyfile}.pub"], ++ } ++ ++ } # if $ensure == "present" ++ ++} # define ssh_auth_key_master ++ ++ ++########################################################################## ++ ++ ++# ssh_auth_key_client ++# ++# Install a key pair into a user's account. ++# This definition is private, i.e. it is not intended to be called directly by users. ++ ++define ssh_auth_key_client ($ensure, $filename, $group, $home, $user) { ++ ++ File { ++ owner => $user, ++ group => $group, ++ mode => 600, ++ require => [ User[$user], File[$home]], ++ } ++ ++ $key_src_file = "${ssh::auth::keymaster_storage}/${title}/key" # on the keymaster ++ $key_tgt_file = "${home}/.ssh/${filename}" # on the client ++ ++ $key_src_content_pub = file("${key_src_file}.pub", "/dev/null") ++ if $ensure == "absent" or $key_src_content_pub =~ /^(ssh-...) ([^ ]+)/ { ++ $keytype = $1 ++ $modulus = $2 ++ file { ++ $key_tgt_file: ++ ensure => $ensure, ++ content => file($key_src_file, "/dev/null"); ++ "${key_tgt_file}.pub": ++ ensure => $ensure, ++ content => "$keytype $modulus $title\n", ++ mode => 644; ++ } ++ } else { ++ notify { "Private key file $key_src_file for key $title not found on keymaster; skipping ensure => present": } ++ } ++ ++} # define ssh_auth_key_client ++ ++ ++########################################################################## ++ ++ ++# ssh_auth_key_server ++# ++# Install a public key into a server user's authorized_keys(5) file. ++# This definition is private, i.e. it is not intended to be called directly by users. ++ ++define ssh_auth_key_server ($ensure, $group, $home, $options, $user) { ++ ++ # on the keymaster: ++ $key_src_dir = "${ssh::auth::keymaster_storage}/${title}" ++ $key_src_file = "${key_src_dir}/key.pub" ++ # on the server: ++ $key_tgt_file = "${home}/.ssh/authorized_keys" ++ ++ File { ++ owner => $user, ++ group => $group, ++ require => User[$user], ++ mode => 600, ++ } ++ Ssh_authorized_key { ++ user => $user, ++ target => $key_tgt_file, ++ } ++ ++ if $ensure == "absent" { ++ ssh_authorized_key { $title: ensure => "absent" } ++ } ++ else { ++ $key_src_content = file($key_src_file, "/dev/null") ++ if ! $key_src_content { ++ notify { "Public key file $key_src_file for key $title not found on keymaster; skipping ensure => present": } ++ } else { if $ensure == "present" and $key_src_content !~ /^(ssh-...) ([^ ]*)/ { ++ err("Can't parse public key file $key_src_file") ++ notify { "Can't parse public key file $key_src_file for key $title on the keymaster: skipping ensure => $ensure": } ++ } else { ++ $keytype = $1 ++ $modulus = $2 ++ ssh_authorized_key { $title: ++ ensure => "present", ++ type => $keytype, ++ key => $modulus, ++ options => $options ? { "" => undef, default => $options }, ++ } ++ }} # if ... else ... else ++ } # if ... else ++ ++} # define ssh_auth_key_server ++ ++ ++########################################################################## ++ ++ ++# ssh_auth_key_namecheck ++# ++# Check a name (e.g. key title or filename) for the allowed form ++ ++define ssh_auth_key_namecheck ($parm, $value) { ++ if $value !~ /^[A-Za-z0-9]/ { ++ fail("ssh::auth::key: $parm '$value' not allowed: must begin with a letter or digit") ++ } ++ if $value !~ /^[A-Za-z0-9_.:@-]+$/ { ++ fail("ssh::auth::key: $parm '$value' not allowed: may only contain the characters A-Za-z0-9_.:@-") ++ } ++} # define namecheck + +</pre></div> + +</body> +</html>
\ No newline at end of file |