Patrick, If you do that you would put all the public keys together, wouldn't you ? That means users would be able to login as any other user. That is of course not what you want.
We need to deploy a single specific public key per user. Gr, Marcello > -----Original Message----- > From: puppet-users@googlegroups.com [mailto:puppet- > us...@googlegroups.com] On Behalf Of Patrick > Sent: donderdag 25 februari 2010 19:47 > To: puppet-users@googlegroups.com > Subject: Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a > scoping question > > What about deploying the keys to /etc/skel? Would that be enough for > what you want? > > > On Feb 25, 2010, at 8:47 AM, Marcello de Sousa wrote: > > > Hi Andrew, > > > >>> "IF homedir exists => deploy .ssh/authorized_keys , else do > nothing" > >>> As far as I know this is not possible with puppet. > >> > >> Marcello, I want to understand your use case. AD and LDAP seem to > be > >> fairly common in Puppet installations, and I'd like for ssh::auth to > >> work well with them. But I'm not that familiar with them. > >> > >> Are you saying that once a user is authorized for a host (or the > whole > >> domain), the user exists on that host, but his/her home directory > >> doesn't, until they first log in? > > > > The user doesn't exactly "exist" on that host. The user and his group > > membership are 'visible' (via AD/ldap) and he might be authorized to > login > > to that host. His homedir doesn't exist initially indeed. > > > >> When the user logs in, is his/her home directory automounted from a > > network share? > > > > No, although this might be possible. > > But this is not default and is not what I want now. > > > >> In that case, the place to deploy the ssh keys would be in the > >> user's home directory on the file server. Or, is the home directory > >> created locally on the host the first time the user logs in? > > > > Exactly. > > > >> It would seem to me that once a user is authorized for a host, you'd > >> want to create his/her ~/.ssh/authorized_keys right away, so they > can log > > in > >> by ssh. > >> If you can explain the sequence of how users get created and > >> authorized and when their home directories get created, it would > help > >> me to address the need. > >> > >> Andrew. > > > > Let me try to explain that: > > Based on a AD group membership I allow the users to login or not. If > you > > don't configure that parameter on lwopen(Likewise-open) client > ("require > > membership of") all domain users are allowed to login. > > > > Next to that Likewise-open uses a hash of your ActiveDirectory- > UID/GID to > > generate your unix UID/GID. > > Once you login to the machine for the first time lwopen will create > your > > homedir with the proper rights (proper hashed UID/GID and optionally > > domainname). For example and "ls -ln" would show some info like: > > > > drwxr-xr-x 953680985 953680385 /home/mydomain/myusername > > > > Next to that lwopen would create a .k5login on that directory to > allow > > single sign on via Kerberos. That's one more reason I need lwopen > doing that > > and not puppet. > > > > My whole lwopen configuration is deployed via puppet. On the machines > that I > > login, after my homedir is properly created, I would like to be able > to > > deploy my .ssh/authorized_keys as an alternative to Kerberos SSO. > Btw, > > that's because Kerberos SSO has some issues, but that's off-topic. :) > > > > So what I need looks simple but surprisingly difficult to achieve: > >>> "IF homedir exists => deploy .ssh/authorized_keys , else do > nothing" > > > > Is this enough info about the use case ? Ideas anyone ? > > > > Gr, > > Marcello > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to puppet- > users+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to puppet- > users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
