howto determine a users homedir in a class file
43 views
Skip to first unread message
Andrew
Jan 29, 2014, 11:04:32 PM1/29/14
to puppet...@googlegroups.com
So ...
I am tasked with managing ssh keys for which I want to use puppet to do the deployment.
I dont know ahead of time which users will using/assigned keys so, my question is.
how to determine the homedir of any user? is there a variable present with this info without resorting to an exec?
Not all users have /home/$USER homedirs, (eg apache=/var/www, puppet=/var/lib/puppet),
I need to create a .ssh dir in the users homedir and copy some private keys in there.
The authorized_keys type includes a user property, so the public key is easy.
kinda stumped ...
Any ideas?
Thanks in advance.
Regards,
Andrew
Dan White
Jan 29, 2014, 11:33:59 PM1/29/14
to puppet...@googlegroups.com
I have a solution for this that involves a custom fact, written in Ruby, for the user's homedir.
I will gladly post the code for the fact and the manifest code showing how I use it. However, I am posting this from home and all my Puppet code is at my work. I will post it tomorrow.
One small "gotcha" that confuzzled me for a short while is that I found that this custom fact does not work for a user account that is created in the same puppet-agent run. A bit of a chicken-egg dilemma: the fact depends on the existance of the user, but facts are done first in an agent run. My solution is that you have the user's homedir available to you when you create an account, so my ssh-key code was refactored to include the homedir as an input parameter.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1944e04e-e98c-4cb6-8e3f-e470c88ce6ad%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Andrew
Jan 30, 2014, 12:56:35 AM1/30/14
to puppet...@googlegroups.com
Thanks for that Ygor, I appreciate the help.
Thomas Bendler
Jan 30, 2014, 6:28:37 AM1/30/14
to puppet-users
You can change the path to authorized_keys as it is done in my ssh puppet module (http://forge.puppetlabs.com/thbe/ssh). The next version of this module will give you the possibility to deploy usernames with keys as parameters but I'm not sure when I'll find time to implement this. Till now you have to put the username key files manually in /etc/ssh.d/
Regards Thomas
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1944e04e-e98c-4cb6-8e3f-e470c88ce6ad%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Linux ... enjoy the ride!
Dan White
Jan 30, 2014, 8:04:32 AM1/30/14
to puppet...@googlegroups.com
Here we go:
Part 1: Custom Fact (modules/users/lib/facter/user_home.rb)
require 'etc'
Etc.passwd { |user|
Facter.add("home_#{user.name}") do
setcode do
user.dir
end
end
}
When you are creating a user, you have access to the homedir. I use a define that has default parameters of
$userhome = "/home/${title}",
$username = $title,
You can override the userhome value. The combination of resources I found to work is as follows:
exec { "mkdir-${username}":
command => "/bin/mkdir -p ${homedirdir}",
unless => "test -d ${homedirdir}",
}
file { $userhome:
ensure => directory,
require => [
User[$username],
Exec["mkdir-${username}"],
]
}
file { "${userhome}/.ssh":
ensure => directory,
require => User[$username],
}
file { "${userhome}/.ssh/authorized_keys":
ensure => present,
require => File["${userhome}/.ssh"],
}
ssh_authorized_key { "${username}_rsa_key":
ensure => $ensure,
user => $username,
key => ".....",
type => 'ssh-rsa',
}
Now, for putting keys in other user homedirs - like a role account for restricted ssh - using only the role account login and the user account login,
$home_fact = "home_${role_account_login}"
$homedir = inline_template("<%= scope.lookupvar('::${home_fact}') %>")
User[$role_account_login]->
File [ "${homedir}/.ssh/authorized_keys"] ->
ssh_authorized_key { "${user_account_login}_rsa_key_for_${role_account_login}":
ensure => $ensure,
key => "....",
type => 'ssh-rsa',
user => $role_account_login,
}
The chaining was discovered thru some long and painful trial and error.
Also, there is the matter of the "options" parameter for ssh_authorized_key, but I did not want to complicate this too much.
This should get you moving forward.
Part 1: Custom Fact (modules/users/lib/facter/user_home.rb)
require 'etc'
Etc.passwd { |user|
Facter.add("home_#{user.name}") do
setcode do
user.dir
end
end
}
When you are creating a user, you have access to the homedir. I use a define that has default parameters of
$userhome = "/home/${title}",
$username = $title,
You can override the userhome value. The combination of resources I found to work is as follows:
exec { "mkdir-${username}":
command => "/bin/mkdir -p ${homedirdir}",
unless => "test -d ${homedirdir}",
}
file { $userhome:
ensure => directory,
require => [
User[$username],
Exec["mkdir-${username}"],
]
}
file { "${userhome}/.ssh":
ensure => directory,
require => User[$username],
}
file { "${userhome}/.ssh/authorized_keys":
ensure => present,
require => File["${userhome}/.ssh"],
}
ssh_authorized_key { "${username}_rsa_key":
ensure => $ensure,
user => $username,
key => ".....",
type => 'ssh-rsa',
}
Now, for putting keys in other user homedirs - like a role account for restricted ssh - using only the role account login and the user account login,
$home_fact = "home_${role_account_login}"
$homedir = inline_template("<%= scope.lookupvar('::${home_fact}') %>")
User[$role_account_login]->
File [ "${homedir}/.ssh/authorized_keys"] ->
ssh_authorized_key { "${user_account_login}_rsa_key_for_${role_account_login}":
ensure => $ensure,
key => "....",
type => 'ssh-rsa',
user => $role_account_login,
}
The chaining was discovered thru some long and painful trial and error.
Also, there is the matter of the "options" parameter for ssh_authorized_key, but I did not want to complicate this too much.
This should get you moving forward.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
Reply all
Reply to author
Forward
0 new messages