ssh_authorized_key fails when home directory doesn't exist

817 views
Skip to first unread message

Corey Osman

unread,
Apr 21, 2011, 6:41:22 PM4/21/11
to Puppet Users
Here is my situation:

1. We use Active directory (LDAP) to store all user info which is retrieved from linux
2. A home directory is not created until the first time the user logs into the linux system


I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven't logged into every system at least once. Puppet errors out due to a missing home directory when trying to create the authorized_keys file. The simple remedy is to login to the box and have the home directory created (su - username). However, I would like the ssh_authorized_key type to not fail but just give a notice. (home directory does not exist, skipping) therefore the reports don't show errors and give misleading errors in the reports.

ssh_authorized_key{ "billys key":
ensure => present,
key => 'billys sshkey',
name => "super duper key",
type => ssh-rsa,
user =>"billy",
onlyif => "test -d /home/${user}"
}

I am assuming that I can refer to the user with ${user} and that onlyif is a valid parameter.

Is this possible?

Corey

Jeff McCune

unread,
Apr 21, 2011, 7:00:28 PM4/21/11
to puppet...@googlegroups.com

Wouldn't it be better to make sure the home directory does exist, as
well as the ~/.ssh directory?

This is often accomplished by creating a defined resource type to
contain all of the resources you need to manage to give you access to
the system.

--
Jeff McCune
Professional Services, Puppet Labs
@0xEFF

Marcello de Sousa

unread,
Apr 21, 2011, 8:10:27 PM4/21/11
to puppet...@googlegroups.com
I have the same issue (using Likewise Open) and even remember
discussing this briefly with Jeff (Puppetcamp in Belgium). I still
could not find a perfect solution.

Likewise open takes care of k5login kerberos file when creating the
homedir. If the folder already exists because puppet created it,
LWopen won't do anything and you won't be able to login using SSO.
There could be more reasons to let LWopen create the folder, but this
is one I can remember now...

2 approaches I've seen in the past were :

Option 1- Deploy all public keys to a directory and deploy a script
that runs regularly to place the keys in the home dir .ssh folder when
they are created (works but ugly)

Option 2 - Change the sshd_config file to use a centralized
alternative path for the users' "AuthorizedKeysFile" to
"/etc/ssh/keys/%u" folder. I believe this is the best choice but
unfortunately, when I tested this I discovered that RH/Centos stock
SSHd was not working with this option.YMMV

Cheers,
Marcello

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>

Marcello de Sousa

unread,
Apr 21, 2011, 8:19:46 PM4/21/11
to puppet...@googlegroups.com
Btw, you can probably let puppet manage the .k5login as well... It's
just an extra small hassle.

Corey Osman

unread,
Apr 22, 2011, 1:50:23 PM4/22/11
to Puppet Users
Yes but if I am understanding you correctly I can't just let puppet
own the required resources. The directories are created automatically
via PAM config upon initial login. I can't define a user type or a
file type as I don't know the UID.

ssh_authorized_key{ "billys key":
ensure => present,
key => 'billys sshkey',
name => "super duper key",
type => ssh-rsa,
user =>"billy",
onlyif => "test -d /home/${user}"
}
I am assuming that I can refer to the user with ${user} and that
onlyif is a valid parameter.

Does every defined type have onlyif parameter built in?

Corey Osman

unread,
Apr 22, 2011, 2:30:18 PM4/22/11
to Puppet Users
For anybody interested I found a feature request already created.
Please vote on it and make it visable for Puppetlabs to include in the
next release.


http://projects.puppetlabs.com/issues/651

Felix Frank

unread,
Apr 27, 2011, 10:01:46 AM4/27/11
to puppet...@googlegroups.com
Hi,

On 04/22/2011 07:50 PM, Corey Osman wrote:
> Yes but if I am understanding you correctly I can't just let puppet
> own the required resources. The directories are created automatically
> via PAM config upon initial login. I can't define a user type or a
> file type as I don't know the UID.

tricky. Am I right to assume that you don't have half a mind to push
your LDAP user maps to all your Linux boxes as duplicates using puppet?

> ssh_authorized_key{ "billys key":
> ensure => present,
> key => 'billys sshkey',
> name => "super duper key",
> type => ssh-rsa,
> user =>"billy",
> onlyif => "test -d /home/${user}"
> }
> I am assuming that I can refer to the user with ${user} and that
> onlyif is a valid parameter.

$user does, in fact, not work. I don't see why you'd want it here
though: "billy" is hardcoded, no need to make the "onlyif" condition
generic.

> Does every defined type have onlyif parameter built in?

That would indeed be of great help here.

A fugly workaround for the time being: Just let the keys fail. Set their
"loglevel" param to "debug" so your logs don't get cluttered by tons of
failed key resources.
Of course, you won't notice actual actions anymore, either. But this may
be of minor concern in this scenario.

HTH,
Felix

Reply all
Reply to author
Forward
0 new messages