To be more clear, I'm trying to allow the same key for diferents
users but also, tests are tell me that ssh_authorized_key
functionality always add keys without any previous check of authorized
file contents so If the key was there it's inserted on each loop agent
-> master, having as result duplicate lines.
That's why I decided Ruby DSL ENC version having init.rb
hostclass :actkeys , :arguments => {'accounts' =>
AST::ASTArray.new([])} do
accounts = scope.lookupvar('accounts')
-----
accounts.each_with_index do |account, i|
raise Puppet::Error, "accounts[#{i}] must be a Hash" unless
account.kind_of?(Hash)
account_defaults = {
'file_key' => '/home/' + account['login'] + '/.ssh/
authorized_keys',
'key_name' => account['login'] + '_' + account['email'],
}
# Fill in defaults
account.merge!(account_defaults) { |k, v1, v2| v1 }
# Must be user resource
user(account['login'],
:ensure => 'present')
file(account['file_key'],
:ensure => 'present')
line_chk = "ssh-#{account['type']} #{account['key']}
#{account['key_name']}"
if ! File.open(account['file_key']).lines.any? { |line|
line.chomp == "#{line_chk}" }
ssh_authorized_key(account['key_name'],
:ensure => 'present',
:key => account['key'],
:type => account['type'],
:user => account['login']
)
end
But this version getting error permission denied in
File.open( ... ) :
err: Could not retrieve catalog from remote server: Error 400 on
SERVER: Puppet::Parser::Compiler failed with error Errno::EACCES:
Permission denied - /home/ppuser6/.ssh/authorized_keys on node casa
I fixed /etc/puppet/fileserver.conf and permission files but I don't
get it yet.
Any suggestion ??.
Regards,
eduardo.
On 7 jun, 10:32, eduardo <erodr...@gmail.com> wrote:
> Thanks you Felix for your answer, yes i'm trying to allow the same
> key for diferents users and I'm checking your advised, it's welcome.
>
> I had been looking for more control on authorized_keys content files.
> I'm trying another version using Ruby DSL ENC getting advantage of
> ruby language power.
>
> ├── actkeys
> │ └── manifests
> │ └── init.rb
>
> Having init.rb something like :
>
> hostclass :actkeys , :arguments => {'accounts' =>
> AST::ASTArray.new([])} do
> accounts = scope.lookupvar('accounts')
>
> ----
>
> accounts.each_with_index do |account, i|
> raise Puppet::Error, "accounts[#{i}] must be a Hash" unless
> account.kind_of?(Hash)
>
> ---
>
> I think this way is great because allow us compare parameters class
> values against file's contents and anything on agent environment
> nevertheless I pretty sure might be a simple pure puppet solution.
> Meanwhile, I'm learning at the same enjoy puppet package.
>
> I appreciate your help
> eduardo.
>
> On 7 jun, 03:49, Felix Frank <felix.fr...@alumni.tu-berlin.de> wrote:
>
>
>
>
>
>
>
> > Hi,
>
> > On 06/05/2012 05:17 PM, eduardo wrote:
>
> > > First one is about how to avoid duplicate lines in authorized_keys,
> > > having something like :
>
> > > define add_ssh_key( $key, $type ) {
>
> > > $username = $title
>
> > > ssh_authorized_key{ "${username}_${key}":
> > > ensure => present,
> > > key => $key,
> > > type => $type,
> > > user => $username,
> > > require => file["/home/$username/.ssh/
> > > authorized_keys"]
>
> > > }
>
> > > }
>
> > this should not produce duplicate lines by any means.
>
> > It *will* however include the public key into the name of each key,
> > which may be what's annoying you.
>
> > Why are you wrapping the ssh_authorized_key? Are you allowing the same
> > key to lots of different users?
>
> > If so, you could try and make things more readably by only using the
> > first 12 or so characters from the pubkey for the generated name (e.g.
> > usinghttp://docs.puppetlabs.com/references/stable/function.html#sprintf).
>
> > But honestly, I would add the key name as a third parameter and name the
> > resources like this:
>
> > define add_ssh_key( $key, $type, $keyname ) {
> > $username = $title
> > ssh_authorized_key{ "${keyname}_for_${username}":
> > ...
>
> > }
>
> > HTH,
> > Felix
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
