From fdc2fc2dfcea6dc835b27b3fd98dd615f07fee70 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 12 Feb 2015 23:09:56 +0100 Subject: [PATCH 1/2] Add 'ssh_auth_file' pillar key to generate an authorized_keys file from given ssh public keys. --- pillar.example | 4 ++++ users/init.sls | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/pillar.example b/pillar.example index 9085ac2..f095548 100644 --- a/pillar.example +++ b/pillar.example @@ -28,6 +28,10 @@ users: - PUBLICKEY ssh_auth.absent: - PUBLICKEY_TO_BE_REMOVED + # Generates an authorized_keys file for the user + # with the given keys + ssh_auth_file: + - PUBLICKEY google_auth: ssh: | SOMEGAUTHHASHVAL diff --git a/users/init.sls b/users/init.sls index 41877c7..ea548d6 100644 --- a/users/init.sls +++ b/users/init.sls @@ -167,6 +167,18 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} +{% if 'ssh_auth_file' in user %} +{{ home }}/.ssh/authorized_keys: + file.managed: + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - contents: | + {% for auth in user.ssh_auth_file -%} + {{ auth }} + {% endfor -%} +{% endif %} + {% if 'sudouser' in user and user['sudouser'] %} sudoer-{{ name }}: From d416b6d8393593f85667a2c0ae578cb228102eb8 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 13 Mar 2015 13:32:39 +0100 Subject: [PATCH 2/2] Move ssh_auth_file key processing to before ssh_auth key to extend instead of overwrite functionality. --- users/init.sls | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/users/init.sls b/users/init.sls index ea548d6..181d4a0 100644 --- a/users/init.sls +++ b/users/init.sls @@ -142,6 +142,17 @@ user_{{ name }}_public_key: {% endfor %} {% endif %} +{% if 'ssh_auth_file' in user %} +{{ home }}/.ssh/authorized_keys: + file.managed: + - user: {{ name }} + - group: {{ name }} + - mode: 600 + - contents: | + {% for auth in user.ssh_auth_file -%} + {{ auth }} + {% endfor -%} +{% endif %} {% if 'ssh_auth' in user %} {% for auth in user['ssh_auth'] %} @@ -167,18 +178,6 @@ ssh_auth_delete_{{ name }}_{{ loop.index0 }}: {% endfor %} {% endif %} -{% if 'ssh_auth_file' in user %} -{{ home }}/.ssh/authorized_keys: - file.managed: - - user: {{ name }} - - group: {{ name }} - - mode: 600 - - contents: | - {% for auth in user.ssh_auth_file -%} - {{ auth }} - {% endfor -%} -{% endif %} - {% if 'sudouser' in user and user['sudouser'] %} sudoer-{{ name }}: