Forum: Cfengine Help
Subject: Looking for constructive criticism - update SSH keys
Author: random
Link to topic: https://cfengine.com/forum/read.php?3,21329,21329#msg-21329
I'm pretty new to this cfengine stuff, things are starting to come together a
bit now, though! I wrote this bundle to manage SSH public keys on my servers.
If any of you cfengine gurus are out there and have some time to critique this
and point out stupidity or ignorance in the methods I've employed I would be
grateful. Best practices are still hazy at best in my mind.
body common control {
bundlesequence => { 'public_keys' };
inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" };
}
bundle common g {
vars:
"masterfiles" string => "/var/cf-masterfiles";
"pubkeys" string => "${masterfiles}/pubkeys";
"phost" string => "192.168.1.1";
}
bundle agent public_keys {
vars:
# list of users who we'll manage keys for
"local_users" slist => { 'root', 'apache' };
# root
"homedir" string => "/tmp/pubkey/root";
"members" string => "id_bozo.pub,id_jack.pub,id_bob.pub";
# apache
"homedir" string => "/tmp/pubkey/opt/apache";
"members" string => "id_rick.pub,id_jack.pub,id_dudeski.pub";
methods:
"any" usebundle =>
update_authorization("$(local_users)","$(homedir[$(local_users)])","$(members[$(local_users)])");
"any" usebundle =>
update_pubkeys("$(homedir[$(local_users)])","$(members[$(local_users)])");
}
bundle agent update_authorization(user,homedir,members) {
files:
"${homedir}/.ssh2/."
handle => 'ssh2_dir_create',
comment => "Create .ssh2 directory and enforce permissions",
perms => mog("750", "root", "users"),
create => "true";
"${homedir}/.ssh2/authorization"
handle => 'ssh2_authorization_file',
comment => 'add/remove public keys from authorization file',
edit_line => add_pubkey_authfile("${user}","${members}"),
perms => mog("640", "root", "users"),
create => "true";
}
bundle agent update_pubkeys(homedir,keylist) {
vars:
"keys" slist => splitstring("$(keylist)",",","100");
methods:
"any" usebundle => copy_pubkey("${homedir}", "$(keys)");
}
bundle agent copy_pubkey(userdir,key) {
files:
"${userdir}/.ssh2/${key}"
handle => 'ssh2_pubkey_file',
comment => 'add public key(s) to .ssh2 directory',
copy_from => pubcopy("${g.pubkeys}/${key}"),
create => "false";
}
bundle edit_line add_pubkey_authfile(user,keylist) {
vars:
"keys" slist => splitstring("$(keylist)",",","100");
insert_lines:
"Key $(keys)";
}
body copy_from pubcopy(from) {
source => "${from}";
servers => { "${g.phost}" };
compare => "digest";
verify => "true";
}
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
