search

sous-chefs / users

Development repository for the users cookbook
https://supermarket.chef.io/cookbooks/users
Apache License 2.0
138 stars 218 forks source link

Support for custom authorized keys file #409

Closed mateuszkwiatkowski closed 6 years ago

mateuszkwiatkowski commented 6 years ago

Description

Some cloud vendors manage SSH keys in virtual machines (eg. Google Cloud) using the ~/.ssh/authorized_keys file. Running users cookbook in these environments breaks that neat feature. Simple workaround is to manage ~/.ssh/authorized_keys2 file with Chef and leave ~/.ssh/authorized_keys for default vendors' orchestration. Also, it's possible to set custom location of authorized keys file. This feature is documented in SSHD(8):

AuthorizedKeysFile specifies the files containing public keys for public key authentication; if this option is not specified, the default is ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.

Issues Resolved

https://github.com/chef-cookbooks/users/issues/408

Check List

mateuszkwiatkowski commented 6 years ago

@majormoses Thank you for your comment. I've just removed the change on metadata.rb.

mateuszkwiatkowski commented 6 years ago

Ok, so just to be clear. What you mean is specifying extra attribute in users_manage resource, like:

users_manage 'GROUPNAME' do
  group_id GROUPID
  action [:create]
  data_bag 'DATABAG_NAME'
  authorized_keys_file 'chef_authorized_keys' # for ~/.ssh/chef_authorized_keys
end

Correct?

Do you prefer to specify full path or just a filename in ~/.ssh directory? authorized_keys_file 'chef_authorized_keys' # for ~/.ssh/chef_authorized_keys vs authorized_keys_file '~/.ssh/chef_authorized_keys'

majormoses commented 6 years ago

I would opt for just the filename, if someone wants to make their authorized key in a dir other than their home dir I think that should be added then and should be its own attribute. I'd envision the whole shebang to look something like this if we want to worry about it now:

# assumes ~/.ssh/ as dir for authorized_keys
users_manage 'GROUPNAME' do
  group_id GROUPID
  action [:create]
  data_bag 'DATABAG_NAME'
  authorized_keys_file 'chef_authorized_keys' # for ~/.ssh/chef_authorized_keys
end

# specific dir for authorized_keys
users_manage 'GROUPNAME' do
  group_id GROUPID
  action [:create]
  data_bag 'DATABAG_NAME'
  authorized_keys_file 'chef_authorized_keys'
  authorized_keys_dir 'some_dir_other_than_homedir_dot_ssh'
end

Also looks like you are gonna need to rebase your fork to pull in some changes.

tas50 commented 6 years ago

Closing in favor of #423. That gives you the ability to define custom locations directly within the data bag, which is the appropriate location based on the behavior of this cookbook.