search

sous-chefs / users

Development repository for the users cookbook
https://supermarket.chef.io/cookbooks/users
Apache License 2.0
138 stars 217 forks source link

managed ssh keys #368

Closed montge closed 7 years ago

montge commented 8 years ago

Cookbook version

master

Chef-client version

12.x.x

Platform Details

Redhat/CentOS 7.x (although should work in 5.x+)

Scenario:

Currently the cookbook users utilizes ~/.ssh/ to store ssh keys. In certain environments, there is a need to lockdown so users cannot place their own ssh keys for remote access and rather require an authorized users to place it in a proper directory. Typically this is for security reasons.

One preferred location is AuthorizedKeysFile /etc/ssh/authorized_keys/%u. Where %u is the userid and the file is set to 644 (and directory set to 755). Would like to have this added as an option for Linux hosts to the standard cookbook rather then a 'custom cookbook'

Steps to Reproduce:

Follow steps for creating user with ssh keys

Expected Result:

Select a option in the databag called "authorized_key_method" set to "centralized" (or something similar) that causes the keys to be written to /etc/ssh/authorized_keys/%u

Actual Result:

Files is written to ~/.ssh/authorized_keys

nkadel-skyhook commented 7 years ago

As things stand, you'll need to write a separate cookbook to manage authorized_keys elsewhere. This is actually desirable. The current strucutre of needing to embed 'ssh_keys' inside a data bag does not allow role or environment based management of the keys.

tas50 commented 7 years ago

I see the use case, but I think this is outside the scope for the current setup of this cookbook. It's not that it wouldn't be desirable, but it would be a mess of code to mix the two use cases.