From fdc2fc2dfcea6dc835b27b3fd98dd615f07fee70 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 12 Feb 2015 23:09:56 +0100 Subject: [PATCH 01/19] Add 'ssh_auth_file' pillar key to generate an authorized_keys file from given ssh public keys. --- pillar.example | 4 ++++ users/init.sls | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/pillar.example b/pillar.example index 9085ac2..f095548 100644 --- a/pillar.example +++ b/pillar.example @@ -28,6 +28,10 @@ users: - PUBLICKEY ssh_auth.absent: - PUBLICKEY_TO_BE_REMOVED + # Generates an authorized_keys file for the user + # with the given keys + ssh_auth_file: + - PUBLICKEY google_auth: ssh: | SOMEGAUTHHASHVAL diff --git a/users/init.sls b/users/init.sls index 41877c7..ea548d6 100644 --- a/users/init.sls +++ b/users/init.sls @@ -167,6 +167,18 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} +{% if 'ssh_auth_file' in user %} +{{ home }}/.ssh/authorized_keys: + file.managed: + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - contents: | + {% for auth in user.ssh_auth_file -%} + {{ auth }} + {% endfor -%} +{% endif %} + {% if 'sudouser' in user and user['sudouser'] %} sudoer-{{ name }}: From d416b6d8393593f85667a2c0ae578cb228102eb8 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 13 Mar 2015 13:32:39 +0100 Subject: [PATCH 02/19] Move ssh_auth_file key processing to before ssh_auth key to extend instead of overwrite functionality. --- users/init.sls | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/users/init.sls b/users/init.sls index ea548d6..181d4a0 100644 --- a/users/init.sls +++ b/users/init.sls @@ -142,6 +142,17 @@ user_{{ name }}_public_key: {% endfor %} {% endif %} +{% if 'ssh_auth_file' in user %} +{{ home }}/.ssh/authorized_keys: + file.managed: + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - contents: | + {% for auth in user.ssh_auth_file -%} + {{ auth }} + {% endfor -%} +{% endif %} {% if 'ssh_auth' in user %} {% for auth in user['ssh_auth'] %} @@ -167,18 +178,6 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} -{% if 'ssh_auth_file' in user %} -{{ home }}/.ssh/authorized_keys: - file.managed: - - user: {{ name }} - - group: {{ name }} - - mode: 600 - - contents: | - {% for auth in user.ssh_auth_file -%} - {{ auth }} - {% endfor -%} -{% endif %} - {% if 'sudouser' in user and user['sudouser'] %} sudoer-{{ name }}: From f083cac657b87f570f76aeae9395ea429eaa3745 Mon Sep 17 00:00:00 2001 From: Nitin Madhok Date: Fri, 20 Mar 2015 20:12:18 -0400 Subject: [PATCH 03/19] Update LICENSING year --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 1e89a0b..ddd5858 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ - Copyright (c) 2014 Salt Stack Formulas + Copyright (c) 2014-2015 Salt Stack Formulas Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 1f80412da83091d159f827aeddcad2866e87a76d Mon Sep 17 00:00:00 2001 From: Andrew Vant Date: Thu, 2 Apr 2015 13:01:30 -0400 Subject: [PATCH 04/19] Added option to source ssh public keys from files. --- pillar.example | 5 +++++ users/init.sls | 12 ++++++++++++ 2 files changed, 17 insertions(+) diff --git a/pillar.example b/pillar.example index f095548..7b4ae59 100644 --- a/pillar.example +++ b/pillar.example @@ -32,6 +32,11 @@ users: # with the given keys ssh_auth_file: - PUBLICKEY + # If you prefer to keep public keys as files rather + # than inline in pillar, this works. + ssh_auth_sources: + - salt://keys/buser.id_rsa.pub + google_auth: ssh: | SOMEGAUTHHASHVAL diff --git a/users/init.sls b/users/init.sls index 181d4a0..7adada4 100644 --- a/users/init.sls +++ b/users/init.sls @@ -166,6 +166,18 @@ ssh_auth_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} +{% if 'ssh_auth_sources' in user %} +{% for pubkey_file in user['ssh_auth_sources'] %} +ssh_auth_source_{{ name }}_{{ loop.index0 }}: + ssh_auth.present: + - user: {{ name }} + - source: {{ pubkey_file }} + - require: + - file: {{ name }}_user + - user: {{ name }}_user +{% endfor %} +{% endif %} + {% if 'ssh_auth.absent' in user %} {% for auth in user['ssh_auth.absent'] %} ssh_auth_delete_{{ name }}_{{ loop.index0 }}: From 1546e2d18620526fe13d55e952b98ee074cb08ab Mon Sep 17 00:00:00 2001 From: tiger-seo Date: Mon, 6 Apr 2015 22:34:59 +0300 Subject: [PATCH 05/19] possibility to define user-specific Defaults --- pillar.example | 2 ++ users/init.sls | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/pillar.example b/pillar.example index 7b4ae59..070f41a 100644 --- a/pillar.example +++ b/pillar.example @@ -14,6 +14,8 @@ users: sudo_rules: - ALL=(root) /usr/bin/find - ALL=(otheruser) /usr/bin/script.sh + sudo_defaults: + - !requiretty shell: /bin/bash prime_group: name: primarygroup diff --git a/users/init.sls b/users/init.sls index 7adada4..7fefed0 100644 --- a/users/init.sls +++ b/users/init.sls @@ -198,6 +198,7 @@ sudoer-{{ name }}: - user: root - group: {{ users.root_group }} - mode: '0440' +{% if 'sudo_rules' in user or 'sudo_defaults' in user %} {% if 'sudo_rules' in user %} {% for rule in user['sudo_rules'] %} "validate {{ name }} sudo rule {{ loop.index0 }} {{ name }} {{ rule }}": @@ -211,13 +212,35 @@ sudoer-{{ name }}: - require_in: - file: {{ users.sudoers_dir }}/{{ name }} {% endfor %} +{% endif %} +{% if 'sudo_defaults' in user %} +{% for entry in user['sudo_defaults'] %} +"validate {{ name }} sudo Defaults {{ loop.index0 }} {{ name }} {{ entry }}": + cmd.run: + - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' + - stateful: True + - shell: {{ users.visudo_shell }} + - env: + # Specify the rule via an env var to avoid shell quoting issues. + - rule: "Defaults:{{ name }} {{ entry }}" + - require_in: + - file: {{ users.sudoers_dir }}/{{ name }} +{% endfor %} +{% endif %} {{ users.sudoers_dir }}/{{ name }}: file.managed: - contents: | + {%- if 'sudo_defaults' in user %} + {%- for entry in user['sudo_defaults'] %} + Defaults:{{ name }} {{ entry }} + {%- endfor %} + {%- endif %} + {%- if 'sudo_rules' in user %} {%- for rule in user['sudo_rules'] %} {{ name }} {{ rule }} {%- endfor %} + {%- endif %} - require: - file: sudoer-defaults - file: sudoer-{{ name }} From 0aab4b551616e1fd3a7b78b0b1fffdf5a318fa95 Mon Sep 17 00:00:00 2001 From: tiger-seo Date: Sat, 11 Apr 2015 15:14:36 +0300 Subject: [PATCH 06/19] fixing example for sudo defaults for specific user --- pillar.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 070f41a..9c88b56 100644 --- a/pillar.example +++ b/pillar.example @@ -15,7 +15,7 @@ users: - ALL=(root) /usr/bin/find - ALL=(otheruser) /usr/bin/script.sh sudo_defaults: - - !requiretty + - '!requiretty' shell: /bin/bash prime_group: name: primarygroup From 031d6ce81f11371dfafeff32ad67ed528c0f79cd Mon Sep 17 00:00:00 2001 From: Alex Ciobica Date: Fri, 1 May 2015 18:48:28 +0300 Subject: [PATCH 07/19] Add pulling keys from other pillar. Example pillar: ssh_keys: id_rsa: privkey: | -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2HcWUVBgh+vY U7sCwx/dH6+VvNwmCoqmNnP+8gTPKGl1vgAObJAnMT623dMXjVKwnEagZPRJIxDy B/HaAre9euNiY3LvIzBTWRSeMfT+rWvIKVBpvwlgGrfgz70m0pqxu+UyFbAGLin+ GpxzZAMaFpZw4sSbIlRuissXZj/sHpQb8p9M5IeO4Z3rjkCP1cxI -----END RSA PRIVATE KEY----- pubkey: | ssh-rsa MIIEowIBAAKCAQEAoQiwO3JhBquPAalQF9qP1lLZNXVjYMIswrMe2H.... --- pillar.example | 6 ++++++ users/init.sls | 21 +++++++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/pillar.example b/pillar.example index 9c88b56..1dc0c6c 100644 --- a/pillar.example +++ b/pillar.example @@ -23,9 +23,15 @@ users: groups: - users ssh_key_type: rsa + # You can inline the private keys ... ssh_keys: privkey: PRIVATEKEY pubkey: PUBLICKEY + # ... or you can pull them from a different pillar, + # for example one called "ssh_keys": + ssh_keys_pillar: + id_rsa: "ssh_keys" + another_key_pair: "ssh_keys" ssh_auth: - PUBLICKEY ssh_auth.absent: diff --git a/users/init.sls b/users/init.sls index 7fefed0..ec9915f 100644 --- a/users/init.sls +++ b/users/init.sls @@ -166,6 +166,23 @@ ssh_auth_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} +{% if 'ssh_keys_pillar' in user %} +{% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %} +ssh_keys_files_{{ name }}_{{ key_name }}_pub: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name + }}.pub + - contents: | + {{ pillar[pillar_name][key_name]['pubkey'] }} +ssh_keys_files_{{ name }}_{{ key_name }}_priv: + file.managed: + - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name + }} + - contents: | + {{ pillar[pillar_name][key_name]['privkey'] | indent(8) }} +{% endfor %} +{% endif %} + {% if 'ssh_auth_sources' in user %} {% for pubkey_file in user['ssh_auth_sources'] %} ssh_auth_source_{{ name }}_{{ loop.index0 }}: @@ -196,7 +213,7 @@ sudoer-{{ name }}: file.managed: - name: {{ users.sudoers_dir }}/{{ name }} - user: root - - group: {{ users.root_group }} + - group: {{ users.root_group }} - mode: '0440' {% if 'sudo_rules' in user or 'sudo_defaults' in user %} {% if 'sudo_rules' in user %} @@ -205,7 +222,7 @@ sudoer-{{ name }}: cmd.run: - name: 'visudo -cf - <<<"$rule" | { read output; if [[ $output != "stdin: parsed OK" ]] ; then echo $output ; fi }' - stateful: True - - shell: {{ users.visudo_shell }} + - shell: {{ users.visudo_shell }} - env: # Specify the rule via an env var to avoid shell quoting issues. - rule: "{{ name }} {{ rule }}" From 701326e23f3d8760ee06d94a6ce9909911dcf103 Mon Sep 17 00:00:00 2001 From: Florian Bittner Date: Thu, 7 May 2015 00:07:06 +0200 Subject: [PATCH 08/19] Add prefix 'users_' to all first level keys to prevent duplicate ids (e.g. in combination with zabbix-formula and key zabbis_user). --- users/googleauth.sls | 8 ++--- users/init.sls | 79 +++++++++++++++++++++++--------------------- users/sudo.sls | 18 +++++----- 3 files changed, 55 insertions(+), 50 deletions(-) diff --git a/users/googleauth.sls b/users/googleauth.sls index 55260f6..7342132 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -1,15 +1,15 @@ # vim: sts=2 ts=2 sw=2 et ai {% from "users/map.jinja" import users with context %} -googleauth-package: +users_googleauth-package: pkg.installed: - name: {{ users.googleauth_package }} - require: - file: {{ users.googleauth_dir }} -{{ users.googleauth_dir }}: - file: - - directory +users_{{ users.googleauth_dir }}: + file.directory: + - name: {{ users.googleauth_dir }} - user: root - group: {{ users.root_group }} - mode: 600 diff --git a/users/init.sls b/users/init.sls index ec9915f..9326b26 100644 --- a/users/init.sls +++ b/users/init.sls @@ -38,13 +38,13 @@ include: {%- endif %} {% for group in user.get('groups', []) %} -{{ name }}_{{ group }}_group: +users_{{ name }}_{{ group }}_group: group: - name: {{ group }} - present {% endfor %} -{{ name }}_user: +users_{{ name }}_user: {% if user.get('createhome', True) %} file.directory: - name: {{ home }} @@ -98,7 +98,7 @@ include: - group: {{ group }} {% endfor %} -user_keydir_{{ name }}: +users_user_keydir_{{ name }}: file.directory: - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh - user: {{ name }} @@ -114,7 +114,7 @@ user_keydir_{{ name }}: {% if 'ssh_keys' in user %} {% set key_type = 'id_' + user.get('ssh_key_type', 'rsa') %} -user_{{ name }}_private_key: +users_user_{{ name }}_private_key: file.managed: - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }} - user: {{ name }} @@ -123,11 +123,11 @@ user_{{ name }}_private_key: - show_diff: False - contents_pillar: users:{{ name }}:ssh_keys:privkey - require: - - user: {{ name }}_user + - user: users_{{ name }}_user {% for group in user.get('groups', []) %} - - group: {{ name }}_{{ group }}_group + - group: users_{{ name }}_{{ group }}_group {% endfor %} -user_{{ name }}_public_key: +users_user_{{ name }}_public_key: file.managed: - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_type }}.pub - user: {{ name }} @@ -136,15 +136,16 @@ user_{{ name }}_public_key: - show_diff: False - contents_pillar: users:{{ name }}:ssh_keys:pubkey - require: - - user: {{ name }}_user + - user: users_{{ name }}_user {% for group in user.get('groups', []) %} - - group: {{ name }}_{{ group }}_group + - group: users_{{ name }}_{{ group }}_group {% endfor %} {% endif %} {% if 'ssh_auth_file' in user %} -{{ home }}/.ssh/authorized_keys: +users_authorized_keys_{{ name }}: file.managed: + - name: {{ home }}/.ssh/authorized_keys - user: {{ name }} - group: {{ name }} - mode: 600 @@ -156,25 +157,25 @@ user_{{ name }}_public_key: {% if 'ssh_auth' in user %} {% for auth in user['ssh_auth'] %} -ssh_auth_{{ name }}_{{ loop.index0 }}: +users_ssh_auth_{{ name }}_{{ loop.index0 }}: ssh_auth.present: - user: {{ name }} - name: {{ auth }} - require: - - file: {{ name }}_user - - user: {{ name }}_user + - file: users_{{ name }}_user + - user: users_{{ name }}_user {% endfor %} {% endif %} {% if 'ssh_keys_pillar' in user %} {% for key_name, pillar_name in user['ssh_keys_pillar'].iteritems() %} -ssh_keys_files_{{ name }}_{{ key_name }}_pub: +users_ssh_keys_files_{{ name }}_{{ key_name }}_pub: file.managed: - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }}.pub - contents: | {{ pillar[pillar_name][key_name]['pubkey'] }} -ssh_keys_files_{{ name }}_{{ key_name }}_priv: +users_ssh_keys_files_{{ name }}_{{ key_name }}_priv: file.managed: - name: {{ user.get('home', '/home/{0}'.format(name)) }}/.ssh/{{ key_name }} @@ -185,31 +186,31 @@ ssh_keys_files_{{ name }}_{{ key_name }}_priv: {% if 'ssh_auth_sources' in user %} {% for pubkey_file in user['ssh_auth_sources'] %} -ssh_auth_source_{{ name }}_{{ loop.index0 }}: +users_ssh_auth_source_{{ name }}_{{ loop.index0 }}: ssh_auth.present: - user: {{ name }} - source: {{ pubkey_file }} - require: - - file: {{ name }}_user - - user: {{ name }}_user + - file: users_{{ name }}_user + - user: users_{{ name }}_user {% endfor %} {% endif %} {% if 'ssh_auth.absent' in user %} {% for auth in user['ssh_auth.absent'] %} -ssh_auth_delete_{{ name }}_{{ loop.index0 }}: +users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}: ssh_auth.absent: - user: {{ name }} - name: {{ auth }} - require: - - file: {{ name }}_user - - user: {{ name }}_user + - file: users_{{ name }}_user + - user: users_{{ name }}_user {% endfor %} {% endif %} {% if 'sudouser' in user and user['sudouser'] %} -sudoer-{{ name }}: +users_sudoer-{{ name }}: file.managed: - name: {{ users.sudoers_dir }}/{{ name }} - user: root @@ -227,7 +228,7 @@ sudoer-{{ name }}: # Specify the rule via an env var to avoid shell quoting issues. - rule: "{{ name }} {{ rule }}" - require_in: - - file: {{ users.sudoers_dir }}/{{ name }} + - file: users_{{ users.sudoers_dir }}/{{ name }} {% endfor %} {% endif %} {% if 'sudo_defaults' in user %} @@ -241,12 +242,13 @@ sudoer-{{ name }}: # Specify the rule via an env var to avoid shell quoting issues. - rule: "Defaults:{{ name }} {{ entry }}" - require_in: - - file: {{ users.sudoers_dir }}/{{ name }} + - file: users_{{ users.sudoers_dir }}/{{ name }} {% endfor %} {% endif %} -{{ users.sudoers_dir }}/{{ name }}: +users_{{ users.sudoers_dir }}/{{ name }}: file.managed: + - name: {{ users.sudoers_dir }}/{{ name }} - contents: | {%- if 'sudo_defaults' in user %} {%- for entry in user['sudo_defaults'] %} @@ -259,18 +261,18 @@ sudoer-{{ name }}: {%- endfor %} {%- endif %} - require: - - file: sudoer-defaults - - file: sudoer-{{ name }} + - file: users_sudoer-defaults + - file: users_sudoer-{{ name }} {% endif %} {% else %} -{{ users.sudoers_dir }}/{{ name }}: +users_{{ users.sudoers_dir }}/{{ name }}: file.absent: - name: {{ users.sudoers_dir }}/{{ name }} {% endif %} {%- if 'google_auth' in user %} {%- for svc in user['google_auth'] %} -googleauth-{{ svc }}-{{ name }}: +users_googleauth-{{ svc }}-{{ name }}: file.managed: - replace: false - name: {{ users.googleauth_dir }}/{{ name }}_{{ svc }} @@ -279,16 +281,17 @@ googleauth-{{ svc }}-{{ name }}: - group: {{ users.root_group }} - mode: 600 - require: - - pkg: googleauth-package + - pkg: users_googleauth-package {%- endfor %} {%- endif %} {% endfor %} {% for name, user in pillar.get('users', {}).items() if user.absent is defined and user.absent %} -{{ name }}: +users_absent_user_{{ name }}: {% if 'purge' in user or 'force' in user %} user.absent: + - name: {{ name }} {% if 'purge' in user %} - purge: {{ user['purge'] }} {% endif %} @@ -296,23 +299,25 @@ googleauth-{{ svc }}-{{ name }}: - force: {{ user['force'] }} {% endif %} {% else %} - user.absent + user.absent: + - name: {{ name }} {% endif -%} -{{ users.sudoers_dir }}/{{ name }}: +users_{{ users.sudoers_dir }}/{{ name }}: file.absent: - name: {{ users.sudoers_dir }}/{{ name }} {% endfor %} {% for user in pillar.get('absent_users', []) %} -{{ user }}: +users_absent_user_2_{{ user }}: user.absent -{{ users.sudoers_dir }}/{{ user }}: +users_2_{{ users.sudoers_dir }}/{{ user }}: file.absent: - name: {{ users.sudoers_dir }}/{{ user }} {% endfor %} {% for group in pillar.get('absent_groups', []) %} -{{ group }}: - group.absent +users_absent_group_{{ group }}: + group.absent: + - name: {{ group }} {% endfor %} diff --git a/users/sudo.sls b/users/sudo.sls index 5d852c9..2953ad2 100644 --- a/users/sudo.sls +++ b/users/sudo.sls @@ -2,31 +2,31 @@ {% from "users/map.jinja" import users with context %} # Ensure availability of bash -bash-package: +users_bash-package: pkg.installed: - name: {{ users.bash_package }} -sudo-group: +users_sudo-group: group.present: - name: sudo - system: True -sudo-package: +users_sudo-package: pkg.installed: - name: {{ users.sudo_package }} - require: - - group: sudo-group + - group: users_sudo-group - file: {{ users.sudoers_dir }} -{{ users.sudoers_dir }}: - file: - - directory +users_{{ users.sudoers_dir }}: + file.directory: + - name: {{ users.sudoers_dir }} -sudoer-defaults: +users_sudoer-defaults: file.append: - name: {{ users.sudoers_file }} - require: - - pkg: sudo-package + - pkg: users_sudo-package - text: - Defaults env_reset - Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" From 3fc2a2bac94c92b7bfcededd31f77c5b2d5cd9a2 Mon Sep 17 00:00:00 2001 From: Nitin Madhok Date: Thu, 7 May 2015 13:39:04 -0400 Subject: [PATCH 09/19] Removing extra new line characters --- LICENSE | 1 - 1 file changed, 1 deletion(-) diff --git a/LICENSE b/LICENSE index ddd5858..8a9dff9 100644 --- a/LICENSE +++ b/LICENSE @@ -11,4 +11,3 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - From 57c82f33241faccf9277064b4647a7aa500b0192 Mon Sep 17 00:00:00 2001 From: Sander Klein Date: Fri, 15 May 2015 21:47:40 +0200 Subject: [PATCH 10/19] Add ~/.ssh/config management This adds the ability to manage the ~/.ssh/config file for users. --- pillar.example | 11 +++++++++++ users/init.sls | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/pillar.example b/pillar.example index 1dc0c6c..4526573 100644 --- a/pillar.example +++ b/pillar.example @@ -44,6 +44,17 @@ users: # than inline in pillar, this works. ssh_auth_sources: - salt://keys/buser.id_rsa.pub + # Manage the ~/.ssh/config file + ssh_config: + all: + hostname: "*" + options: + - "StrictHostKeyChecking no" + - "UserKnownHostsFile=/dev/null" + importanthost: + hostname: "needcheck.example.com" + options: + - "StrictHostKeyChecking yes" google_auth: ssh: | diff --git a/users/init.sls b/users/init.sls index 9326b26..2b740b5 100644 --- a/users/init.sls +++ b/users/init.sls @@ -208,6 +208,24 @@ users_ssh_auth_delete_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} +{% if 'ssh_config' in user %} +users_ssh_config_{{ name }}: + file.managed: + - name: {{ home }}/.ssh/config + - user: {{ name }} + - group: {{ user_group }} + - mode: 640 + - contents: | + # Managed by Saltstack + {% for label, setting in user.ssh_config.items() %} + # {{ label }} + Host {{ setting.get('hostname') }} + {%- for opts in setting.get('options') %} + {{ opts }} + {%- endfor %} + {% endfor -%} +{% endif %} + {% if 'sudouser' in user and user['sudouser'] %} users_sudoer-{{ name }}: From 3a8d72b947c05d6ac5791e6b7d33d0355118c070 Mon Sep 17 00:00:00 2001 From: Sander Klein Date: Sat, 16 May 2015 09:56:20 +0200 Subject: [PATCH 11/19] Add "Do Not Edit" part --- users/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/users/init.sls b/users/init.sls index 2b740b5..30bbda8 100644 --- a/users/init.sls +++ b/users/init.sls @@ -217,6 +217,7 @@ users_ssh_config_{{ name }}: - mode: 640 - contents: | # Managed by Saltstack + # Do Not Edit {% for label, setting in user.ssh_config.items() %} # {{ label }} Host {{ setting.get('hostname') }} From 29ce431151933a6d90638d3570eddb5fc4550715 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Wed, 10 Jun 2015 21:40:52 +0200 Subject: [PATCH 12/19] Added bashrc extension to users-formula This will ensure a given bashrc file in a users home dir. Default it will search for a bashrc in salt://users/files/bashrc/{{ username }}/bashrc If no file is found it will install the default from salt://users/files/bashrc/bashrc --- users/bashrc.sls | 26 ++++++++++++++++++++++++++ users/files/bashrc/bashrc | 9 +++++++++ 2 files changed, 35 insertions(+) create mode 100644 users/bashrc.sls create mode 100644 users/files/bashrc/bashrc diff --git a/users/bashrc.sls b/users/bashrc.sls new file mode 100644 index 0000000..1a461ee --- /dev/null +++ b/users/bashrc.sls @@ -0,0 +1,26 @@ +{% from "users/map.jinja" import users with context %} +include: + - users + +extend: +{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- if user == None -%} +{%- set user = {} -%} +{%- endif -%} +{%- set home = user.get('home', "/home/%s" % name) -%} + +{%- if 'prime_group' in user and 'name' in user['prime_group'] %} +{%- set user_group = user.prime_group.name -%} +{%- else -%} +{%- set user_group = name -%} +{%- endif %} + users_{{ name }}_user: + file.managed: + - name: {{ home }}/.bashrc + - owner: {{ name }} + - group: {{ user_group }} + - mode: 644 + - sources: + - salt://users/files/bashrc/{{ name }}/bashrc + - salt://users/files/bashrc/bashrc +{% endfor %} diff --git a/users/files/bashrc/bashrc b/users/files/bashrc/bashrc new file mode 100644 index 0000000..d6ccfde --- /dev/null +++ b/users/files/bashrc/bashrc @@ -0,0 +1,9 @@ +# +# ~/.bashrc +# +# +# If not running interactively, don't do anything +[[ $- != *i* ]] && return + +alias ls='ls --color=auto' +PS1='[\u@\h \W]\$ ' From eac091bf6691ca55648f0cc0833927adf00d8114 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Wed, 10 Jun 2015 22:03:26 +0200 Subject: [PATCH 13/19] fix sources to source --- users/bashrc.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/bashrc.sls b/users/bashrc.sls index 1a461ee..7415f4b 100644 --- a/users/bashrc.sls +++ b/users/bashrc.sls @@ -20,7 +20,7 @@ extend: - owner: {{ name }} - group: {{ user_group }} - mode: 644 - - sources: + - source: - salt://users/files/bashrc/{{ name }}/bashrc - salt://users/files/bashrc/bashrc {% endfor %} From b4acac9de72ae5c6d28e9816e47bd3c5debf4eb6 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Wed, 10 Jun 2015 22:56:57 +0200 Subject: [PATCH 14/19] Added vimrc extension to users-formula This will ensure that a given vimrc file in a users home dir is managed Default it will search for a vimrc in salt://users/files/vimrc/{{ username }}/vimrc If this isn't found it will install salt://users/files/vimrc/vimrc --- users/files/vimrc/vimrc | 160 ++++++++++++++++++++++++++++++++++++++++ users/vimrc.sls | 27 +++++++ 2 files changed, 187 insertions(+) create mode 100644 users/files/vimrc/vimrc create mode 100644 users/vimrc.sls diff --git a/users/files/vimrc/vimrc b/users/files/vimrc/vimrc new file mode 100644 index 0000000..fef9e87 --- /dev/null +++ b/users/files/vimrc/vimrc @@ -0,0 +1,160 @@ +" URL: http://vim.wikia.com/wiki/Example_vimrc +" Authors: http://vim.wikia.com/wiki/Vim_on_Freenode +" Description: A minimal, but feature rich, example .vimrc. If you are a +" newbie, basing your first .vimrc on this file is a good choice. +" If you're a more advanced user, building your own .vimrc based +" on this file is still a good idea. + +"------------------------------------------------------------ +" Features {{{1 +" +" These options and commands enable some very useful features in Vim, that +" no user should have to live without. + +" Set 'nocompatible' to ward off unexpected things that your distro might +" have made, as well as sanely reset options when re-sourcing .vimrc +set nocompatible + +" Attempt to determine the type of a file based on its name and possibly its +" contents. Use this to allow intelligent auto-indenting for each filetype, +" and for plugins that are filetype specific. +filetype indent plugin on + +" Enable syntax highlighting +syntax on + + +"------------------------------------------------------------ +" Must have options {{{1 +" +" These are highly recommended options. + +" Vim with default settings does not allow easy switching between multiple files +" in the same editor window. Users can use multiple split windows or multiple +" tab pages to edit multiple files, but it is still best to enable an option to +" allow easier switching between files. +" +" One such option is the 'hidden' option, which allows you to re-use the same +" window and switch from an unsaved buffer without saving it first. Also allows +" you to keep an undo history for multiple files when re-using the same window +" in this way. Note that using persistent undo also lets you undo in multiple +" files even in the same window, but is less efficient and is actually designed +" for keeping undo history after closing Vim entirely. Vim will complain if you +" try to quit without saving, and swap files will keep you safe if your computer +" crashes. +set hidden + +" Note that not everyone likes working this way (with the hidden option). +" Alternatives include using tabs or split windows instead of re-using the same +" window as mentioned above, and/or either of the following options: +" set confirm +" set autowriteall + +" Better command-line completion +set wildmenu + +" Show partial commands in the last line of the screen +set showcmd + +" Highlight searches (use to temporarily turn off highlighting; see the +" mapping of below) +set hlsearch + +" Modelines have historically been a source of security vulnerabilities. As +" such, it may be a good idea to disable them and use the securemodelines +" script, . +" set nomodeline + + +"------------------------------------------------------------ +" Usability options {{{1 +" +" These are options that users frequently set in their .vimrc. Some of them +" change Vim's behaviour in ways which deviate from the true Vi way, but +" which are considered to add usability. Which, if any, of these options to +" use is very much a personal preference, but they are harmless. + +" Use case insensitive search, except when using capital letters +set ignorecase +set smartcase + +" Allow backspacing over autoindent, line breaks and start of insert action +set backspace=indent,eol,start + +" When opening a new line and no filetype-specific indenting is enabled, keep +" the same indent as the line you're currently on. Useful for READMEs, etc. +set autoindent + +" Stop certain movements from always going to the first character of a line. +" While this behaviour deviates from that of Vi, it does what most users +" coming from other editors would expect. +set nostartofline + +" Display the cursor position on the last line of the screen or in the status +" line of a window +set ruler + +" Always display the status line, even if only one window is displayed +set laststatus=2 + +" Instead of failing a command because of unsaved changes, instead raise a +" dialogue asking if you wish to save changed files. +set confirm + +" Use visual bell instead of beeping when doing something wrong +set visualbell + +" And reset the terminal code for the visual bell. If visualbell is set, and +" this line is also included, vim will neither flash nor beep. If visualbell +" is unset, this does nothing. +set t_vb= + +" Enable use of the mouse for all modes +set mouse=a + +" Set the command window height to 2 lines, to avoid many cases of having to +" "press to continue" +set cmdheight=2 + +" Display line numbers on the left +set number + +" Quickly time out on keycodes, but never time out on mappings +set notimeout ttimeout ttimeoutlen=200 + +" Use to toggle between 'paste' and 'nopaste' +set pastetoggle= + + +"------------------------------------------------------------ +" Indentation options {{{1 +" +" Indentation settings according to personal preference. + +" Indentation settings for using 4 spaces instead of tabs. +" Do not change 'tabstop' from its default value of 8 with this setup. +set shiftwidth=4 +set softtabstop=4 +set expandtab + +" Indentation settings for using hard tabs for indent. Display tabs as +" four characters wide. +"set shiftwidth=4 +"set tabstop=4 + + +"------------------------------------------------------------ +" Mappings {{{1 +" +" Useful mappings + +" Map Y to act like D and C, i.e. to yank until EOL, rather than act as yy, +" which is the default +map Y y$ + +" Map (redraw screen) to also turn off search highlighting until the +" next search +nnoremap :nohl + + +"------------------------------------------------------------ diff --git a/users/vimrc.sls b/users/vimrc.sls new file mode 100644 index 0000000..34131c5 --- /dev/null +++ b/users/vimrc.sls @@ -0,0 +1,27 @@ +{% from "users/map.jinja" import users with context %} +include: + - users + - vim + +extend: +{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- if user == None -%} +{%- set user = {} -%} +{%- endif -%} +{%- set home = user.get('home', "/home/%s" % name) -%} + +{%- if 'prime_group' in user and 'name' in user['prime_group'] %} +{%- set user_group = user.prime_group.name -%} +{%- else -%} +{%- set user_group = name -%} +{%- endif %} + users_{{ name }}_user: + file.managed: + - name: {{ home }}/.vimrc + - owner: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/vimrc/{{ name }}/vimrc + - salt://users/files/vimrc/vimrc +{% endfor %} From 35b9679b1f007af22ed8d0232b46d56af3c23104 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Wed, 10 Jun 2015 23:00:58 +0200 Subject: [PATCH 15/19] Updated the Readme --- README.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.rst b/README.rst index 2518089..1efde1d 100644 --- a/README.rst +++ b/README.rst @@ -27,3 +27,15 @@ and associated keys. Also configures sudo access, and absent users. Ensures the sudo group exists, the sudo package is installed and the sudo file is configured. + +``users.bashrc`` +---------------- + +Ensures the bashrc file exists in the users home directory + +``users.vimrc`` +--------------- + +Ensures the vimrc file exists in the users home directory. +This depends on the vim-formula to be installed + From 622b846d7f859a0a1fbdfe5794b9a6a8d30848ac Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Thu, 11 Jun 2015 23:34:16 +0200 Subject: [PATCH 16/19] Enable/disable bashrc/vimrc per user Made both states configurable per user in pillar data Had to drop extend, for this otherwise the extend would be empty if manage is False --- README.rst | 6 ++++-- pillar.example | 2 ++ users/bashrc.sls | 23 ++++++++++++----------- users/vimrc.sls | 23 ++++++++++++----------- 4 files changed, 30 insertions(+), 24 deletions(-) diff --git a/README.rst b/README.rst index 1efde1d..4d3279a 100644 --- a/README.rst +++ b/README.rst @@ -31,11 +31,13 @@ is configured. ``users.bashrc`` ---------------- -Ensures the bashrc file exists in the users home directory +Ensures the bashrc file exists in the users home directory. Set manage_bashrc: +True in pillar per user. Defaults to False ``users.vimrc`` --------------- -Ensures the vimrc file exists in the users home directory. +Ensures the vimrc file exists in the users home directory. Set manage_vimrc: +True in pillar per user. Defaults to False This depends on the vim-formula to be installed diff --git a/pillar.example b/pillar.example index 4526573..d6e0033 100644 --- a/pillar.example +++ b/pillar.example @@ -9,6 +9,8 @@ users: password: $6$w............. home: /custom/buser createhome: True + manage_vimrc: False + manage_bashrc: False expire: 16426 sudouser: True sudo_rules: diff --git a/users/bashrc.sls b/users/bashrc.sls index 7415f4b..fc268f4 100644 --- a/users/bashrc.sls +++ b/users/bashrc.sls @@ -2,25 +2,26 @@ include: - users -extend: {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {%- if user == None -%} {%- set user = {} -%} {%- endif -%} {%- set home = user.get('home', "/home/%s" % name) -%} - +{%- set manage = user.get('manage_bashrc', False) -%} {%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- set user_group = user.prime_group.name -%} {%- else -%} {%- set user_group = name -%} {%- endif %} - users_{{ name }}_user: - file.managed: - - name: {{ home }}/.bashrc - - owner: {{ name }} - - group: {{ user_group }} - - mode: 644 - - source: - - salt://users/files/bashrc/{{ name }}/bashrc - - salt://users/files/bashrc/bashrc +{%- if manage -%} +users_{{ name }}_user_bashrc: + file.managed: + - name: {{ home }}/.bashrc + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/bashrc/{{ name }}/bashrc + - salt://users/files/bashrc/bashrc +{% endif %} {% endfor %} diff --git a/users/vimrc.sls b/users/vimrc.sls index 34131c5..e678bb6 100644 --- a/users/vimrc.sls +++ b/users/vimrc.sls @@ -3,25 +3,26 @@ include: - users - vim -extend: {% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} {%- if user == None -%} {%- set user = {} -%} {%- endif -%} {%- set home = user.get('home', "/home/%s" % name) -%} - +{%- set manage = user.get('manage_vimrc', False) -%} {%- if 'prime_group' in user and 'name' in user['prime_group'] %} {%- set user_group = user.prime_group.name -%} {%- else -%} {%- set user_group = name -%} {%- endif %} - users_{{ name }}_user: - file.managed: - - name: {{ home }}/.vimrc - - owner: {{ name }} - - group: {{ user_group }} - - mode: 644 - - source: - - salt://users/files/vimrc/{{ name }}/vimrc - - salt://users/files/vimrc/vimrc +{%- if manage -%} +users_{{ name }}_user_vimrc: + file.managed: + - name: {{ home }}/.vimrc + - user: {{ name }} + - group: {{ user_group }} + - mode: 644 + - source: + - salt://users/files/vimrc/{{ name }}/vimrc + - salt://users/files/vimrc/vimrc +{% endif %} {% endfor %} From a467d2a80f6a59e62e94889b88bc4066edb5b6e3 Mon Sep 17 00:00:00 2001 From: Bohdan Kmit Date: Wed, 1 Jul 2015 18:39:53 +0300 Subject: [PATCH 17/19] fix permission of GA config file --- users/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/init.sls b/users/init.sls index 30bbda8..dcf6136 100644 --- a/users/init.sls +++ b/users/init.sls @@ -298,7 +298,7 @@ users_googleauth-{{ svc }}-{{ name }}: - contents_pillar: 'users:{{ name }}:google_auth:{{ svc }}' - user: root - group: {{ users.root_group }} - - mode: 600 + - mode: 400 - require: - pkg: users_googleauth-package {%- endfor %} From d0bbbda8aa22a0016bebb1214d25e4c9914b867a Mon Sep 17 00:00:00 2001 From: Bohdan Kmit Date: Wed, 1 Jul 2015 19:15:31 +0300 Subject: [PATCH 18/19] readd 2fa pam enforcement --- pillar.example | 1 + users/googleauth.sls | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/pillar.example b/pillar.example index d6e0033..d96ea29 100644 --- a/pillar.example +++ b/pillar.example @@ -58,6 +58,7 @@ users: options: - "StrictHostKeyChecking yes" + google_2fa: True google_auth: ssh: | SOMEGAUTHHASHVAL diff --git a/users/googleauth.sls b/users/googleauth.sls index 7342132..9e6a9ff 100644 --- a/users/googleauth.sls +++ b/users/googleauth.sls @@ -13,3 +13,19 @@ users_{{ users.googleauth_dir }}: - user: root - group: {{ users.root_group }} - mode: 600 + +{% for name, user in pillar.get('users', {}).items() if user.absent is not defined or not user.absent %} +{%- if 'google_auth' in user %} +{%- for svc in user['google_auth'] %} +{%- if user.get('google_2fa', True) %} +users_googleauth-pam-{{ svc }}-{{ name }}: + file.replace: + - name: /etc/pam.d/{{ svc }} + - pattern: "^@include common-auth" + - repl: "auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so user=root secret={{ users.googleauth_dir }}/${USER}_{{ svc }} echo_verification_code\n@include common-auth" + - unless: grep pam_google_authenticator.so /etc/pam.d/{{ svc }} + - backup: .bak +{%- endif %} +{%- endfor %} +{%- endif %} +{%- endfor %} From e0acdc9b30ba8ec49bb4a86d3f2cc07114920804 Mon Sep 17 00:00:00 2001 From: Andres Montalban Date: Sat, 4 Jul 2015 09:30:50 -0300 Subject: [PATCH 19/19] Add sudo_rules syntax examples for rules with colons --- pillar.example | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pillar.example b/pillar.example index d96ea29..500604b 100644 --- a/pillar.example +++ b/pillar.example @@ -13,6 +13,13 @@ users: manage_bashrc: False expire: 16426 sudouser: True + # sudo_rules doesn't need the username as a prefix for the rule + # this is added automatically by the formula. + # ---------------------------------------------------------------------- + # In case your sudo_rules have a colon please have in mind to not leave + # spaces around it. For example: + # ALL=(ALL) NOPASSWD: ALL <--- THIS WILL NOT WORK (Besides syntax is ok) + # ALL=(ALL) NOPASSWD:ALL <--- THIS WILL WORK sudo_rules: - ALL=(root) /usr/bin/find - ALL=(otheruser) /usr/bin/script.sh