I've solved this by moving ssh keys to a different location outside /home/user/.ssh to /etc/ssh.d/user. This gives you full control over the ssh-keys without the possibility that a user more or less accidentally change it to something not compliant. You can take a look at my ssh module ( https://forge.puppet.com/thbe/ssh) which should give you an indication how it's done.
Regards Thomas 2016-07-05 16:22 GMT+02:00 dkoleary <dkole...@olearycomputers.com>: > Hey, all; > > I have a number of application administration accounts which can be > accessed via a select set of ssh keys. I've seen several pages/recipes for > using virtual users and the ssh_authorized_key resource which look like > they work well for adding and deleting keys; but, not necessarily for > restricting access to *only* those keys. > > More specifically, I have ~ 1200 hosts. On all of them, I have an admin > account that should have ssh keys for four administrators. ~ 90% will have > other admin accounts that will have an additional key in the file and a few > outliers that will have 3 -4 other keys. > > Basically, what i"m looking for is having any keys that are not one of > those automatically removed. > > Is there a way to do that outside of using a file resource? I'm still > working my way through the ~38,000 google search results and am hoping to > cut that work down a bit. > > Any hints greatly appreciated. > > Thanks > > Doug O'Leary > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/d3b3ca4d-209b-412e-8f03-afe3dc8d5328%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- performance, security, automation, SAP cimt consulting ag, Burchardstrasse 17, 20095 Hamburg fon: +49 (163) 6081 302, fax: +49 (40) 5 33 02-22, web: www.cimt.de key: FED7C867 at pgp.mit.edu Sitz der Gesellschaft: Hamburg, Amtsgericht Hamburg, HRB 74173 Vorstand: Christoph Friedlaender, Dr.-Ing. Thorsten Kuhlmann Vorsitzender des Aufsichtsrats: Christian Gottsmann -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAELoU1Pg7eynpV1Hdg7gY6o7EkQwbGv%3DNkDSy8oGW4X1gC%2BncQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
