Corey Osman
2011-Apr-21 22:41 UTC
[Puppet Users] ssh_authorized_key fails when home directory doesn''t exist
Here is my situation:
1. We use Active directory (LDAP) to store all user info which is retrieved from
linux
2. A home directory is not created until the first time the user logs into the
linux system
I am using the ssh_authorized_key type to push out my ssh keys to every system.
However, because I haven''t logged into every system at least once.
Puppet errors out due to a missing home directory when trying to create the
authorized_keys file. The simple remedy is to login to the box and have the
home directory created (su - username). However, I would like the
ssh_authorized_key type to not fail but just give a notice. (home directory
does not exist, skipping) therefore the reports don''t show errors and
give misleading errors in the reports.
ssh_authorized_key{ "billys key":
ensure => present,
key => ''billys sshkey'',
name => "super duper key",
type => ssh-rsa,
user =>"billy",
onlyif => "test -d /home/${user}"
}
I am assuming that I can refer to the user with ${user} and that onlyif is a
valid parameter.
Is this possible?
Corey
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Jeff McCune
2011-Apr-21 23:00 UTC
Re: [Puppet Users] ssh_authorized_key fails when home directory doesn''t exist
On Thu, Apr 21, 2011 at 3:41 PM, Corey Osman <corey@logicminds.biz> wrote:> Here is my situation: > > 1. We use Active directory (LDAP) to store all user info which is retrieved from linux > 2. A home directory is not created until the first time the user logs into the linux system > > > I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven''t logged into every system at least once. Puppet errors out due to a missing home directory when trying to create the authorized_keys file. The simple remedy is to login to the box and have the home directory created (su - username). However, I would like the ssh_authorized_key type to not fail but just give a notice. (home directory does not exist, skipping) therefore the reports don''t show errors and give misleading errors in the reports. > > ssh_authorized_key{ "billys key": > ensure => present, > key => ''billys sshkey'', > name => "super duper key", > type => ssh-rsa, > user =>"billy", > onlyif => "test -d /home/${user}" > } > > I am assuming that I can refer to the user with ${user} and that onlyif is a valid parameter. > > Is this possible?Wouldn''t it be better to make sure the home directory does exist, as well as the ~/.ssh directory? This is often accomplished by creating a defined resource type to contain all of the resources you need to manage to give you access to the system. -- Jeff McCune Professional Services, Puppet Labs @0xEFF -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Marcello de Sousa
2011-Apr-22 00:10 UTC
Re: [Puppet Users] ssh_authorized_key fails when home directory doesn''t exist
I have the same issue (using Likewise Open) and even remember discussing this briefly with Jeff (Puppetcamp in Belgium). I still could not find a perfect solution. Likewise open takes care of k5login kerberos file when creating the homedir. If the folder already exists because puppet created it, LWopen won''t do anything and you won''t be able to login using SSO. There could be more reasons to let LWopen create the folder, but this is one I can remember now... 2 approaches I''ve seen in the past were : Option 1- Deploy all public keys to a directory and deploy a script that runs regularly to place the keys in the home dir .ssh folder when they are created (works but ugly) Option 2 - Change the sshd_config file to use a centralized alternative path for the users'' "AuthorizedKeysFile" to "/etc/ssh/keys/%u" folder. I believe this is the best choice but unfortunately, when I tested this I discovered that RH/Centos stock SSHd was not working with this option.YMMV Cheers, Marcello On Fri, Apr 22, 2011 at 1:00 AM, Jeff McCune <jeff@puppetlabs.com> wrote:> On Thu, Apr 21, 2011 at 3:41 PM, Corey Osman <corey@logicminds.biz> wrote: >> Here is my situation: >> >> 1. We use Active directory (LDAP) to store all user info which is retrieved from linux >> 2. A home directory is not created until the first time the user logs into the linux system >> >> >> I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven''t logged into every system at least once. Puppet errors out due to a missing home directory when trying to create the authorized_keys file. The simple remedy is to login to the box and have the home directory created (su - username). However, I would like the ssh_authorized_key type to not fail but just give a notice. (home directory does not exist, skipping) therefore the reports don''t show errors and give misleading errors in the reports. >> >> ssh_authorized_key{ "billys key": >> ensure => present, >> key => ''billys sshkey'', >> name => "super duper key", >> type => ssh-rsa, >> user =>"billy", >> onlyif => "test -d /home/${user}" >> } >> >> I am assuming that I can refer to the user with ${user} and that onlyif is a valid parameter. >> >> Is this possible? > > Wouldn''t it be better to make sure the home directory does exist, as > well as the ~/.ssh directory? > > This is often accomplished by creating a defined resource type to > contain all of the resources you need to manage to give you access to > the system. > > -- > Jeff McCune > Professional Services, Puppet Labs > @0xEFF > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Marcello de Sousa
2011-Apr-22 00:19 UTC
Re: [Puppet Users] ssh_authorized_key fails when home directory doesn''t exist
Btw, you can probably let puppet manage the .k5login as well... It''s just an extra small hassle. On Fri, Apr 22, 2011 at 2:10 AM, Marcello de Sousa <lists@area151.com> wrote:> I have the same issue (using Likewise Open) and even remember > discussing this briefly with Jeff (Puppetcamp in Belgium). I still > could not find a perfect solution. > > Likewise open takes care of k5login kerberos file when creating the > homedir. If the folder already exists because puppet created it, > LWopen won''t do anything and you won''t be able to login using SSO. > There could be more reasons to let LWopen create the folder, but this > is one I can remember now... > > 2 approaches I''ve seen in the past were : > > Option 1- Deploy all public keys to a directory and deploy a script > that runs regularly to place the keys in the home dir .ssh folder when > they are created (works but ugly) > > Option 2 - Change the sshd_config file to use a centralized > alternative path for the users'' "AuthorizedKeysFile" to > "/etc/ssh/keys/%u" folder. I believe this is the best choice but > unfortunately, when I tested this I discovered that RH/Centos stock > SSHd was not working with this option.YMMV > > Cheers, > Marcello > > On Fri, Apr 22, 2011 at 1:00 AM, Jeff McCune <jeff@puppetlabs.com> wrote: >> On Thu, Apr 21, 2011 at 3:41 PM, Corey Osman <corey@logicminds.biz> wrote: >>> Here is my situation: >>> >>> 1. We use Active directory (LDAP) to store all user info which is retrieved from linux >>> 2. A home directory is not created until the first time the user logs into the linux system >>> >>> >>> I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven''t logged into every system at least once. Puppet errors out due to a missing home directory when trying to create the authorized_keys file. The simple remedy is to login to the box and have the home directory created (su - username). However, I would like the ssh_authorized_key type to not fail but just give a notice. (home directory does not exist, skipping) therefore the reports don''t show errors and give misleading errors in the reports. >>> >>> ssh_authorized_key{ "billys key": >>> ensure => present, >>> key => ''billys sshkey'', >>> name => "super duper key", >>> type => ssh-rsa, >>> user =>"billy", >>> onlyif => "test -d /home/${user}" >>> } >>> >>> I am assuming that I can refer to the user with ${user} and that onlyif is a valid parameter. >>> >>> Is this possible? >> >> Wouldn''t it be better to make sure the home directory does exist, as >> well as the ~/.ssh directory? >> >> This is often accomplished by creating a defined resource type to >> contain all of the resources you need to manage to give you access to >> the system. >> >> -- >> Jeff McCune >> Professional Services, Puppet Labs >> @0xEFF >> >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >> >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Corey Osman
2011-Apr-22 17:50 UTC
[Puppet Users] Re: ssh_authorized_key fails when home directory doesn''t exist
Yes but if I am understanding you correctly I can''t just let puppet
own the required resources. The directories are created automatically
via PAM config upon initial login. I can''t define a user type or a
file type as I don''t know the UID.
ssh_authorized_key{ "billys key":
ensure => present,
key => ''billys sshkey'',
name => "super duper key",
type => ssh-rsa,
user =>"billy",
onlyif => "test -d /home/${user}"
}
I am assuming that I can refer to the user with ${user} and that
onlyif is a valid parameter.
Does every defined type have onlyif parameter built in?
On Apr 21, 4:00 pm, Jeff McCune <j...@puppetlabs.com>
wrote:> On Thu, Apr 21, 2011 at 3:41 PM, Corey Osman <co...@logicminds.biz>
wrote:
> > Here is my situation:
>
> > 1. We use Active directory (LDAP) to store all user info which is
retrieved from linux
> > 2. A home directory is not created until the first time the user logs
into the linux system
>
> > I am using the ssh_authorized_key type to push out my ssh keys to
every system. However, because I haven''t logged into every system at
least once. Puppet errors out due to a missing home directory when trying to
create the authorized_keys file. The simple remedy is to login to the box and
have the home directory created (su - username). However, I would like the
ssh_authorized_key type to not fail but just give a notice. (home directory
does not exist, skipping) therefore the reports don''t show errors and
give misleading errors in the reports.
>
> > ssh_authorized_key{ "billys key":
> > ensure => present,
> > key => ''billys sshkey'',
> > name => "super duper key",
> > type => ssh-rsa,
> > user =>"billy",
> > onlyif => "test -d /home/${user}"
> > }
>
> > I am assuming that I can refer to the user with ${user} and that
onlyif is a valid parameter.
>
> > Is this possible?
>
> Wouldn''t it be better to make sure the home directory does exist,
as
> well as the ~/.ssh directory?
>
> This is often accomplished by creating a defined resource type to
> contain all of the resources you need to manage to give you access to
> the system.
>
> --
> Jeff McCune
> Professional Services, Puppet Labs
> @0xEFF
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Corey Osman
2011-Apr-22 18:30 UTC
[Puppet Users] Re: ssh_authorized_key fails when home directory doesn''t exist
For anybody interested I found a feature request already created. Please vote on it and make it visable for Puppetlabs to include in the next release. http://projects.puppetlabs.com/issues/651 On Apr 22, 10:50 am, Corey Osman <co...@logicminds.biz> wrote:> Yes but if I am understanding you correctly I can''t just let puppet > own the required resources. The directories are created automatically > via PAM config upon initial login. I can''t define a user type or a > file type as I don''t know the UID. > > ssh_authorized_key{ "billys key": > ensure => present, > key => ''billys sshkey'', > name => "super duper key", > type => ssh-rsa, > user =>"billy", > onlyif => "test -d /home/${user}" > } > I am assuming that I can refer to the user with ${user} and that > onlyif is a valid parameter. > > Does every defined type have onlyif parameter built in? > > On Apr 21, 4:00 pm, Jeff McCune <j...@puppetlabs.com> wrote: > > > > > On Thu, Apr 21, 2011 at 3:41 PM, Corey Osman <co...@logicminds.biz> wrote: > > > Here is my situation: > > > > 1. We use Active directory (LDAP) to store all user info which is retrieved from linux > > > 2. A home directory is not created until the first time the user logs into the linux system > > > > I am using the ssh_authorized_key type to push out my ssh keys to every system. However, because I haven''t logged into every system at least once. Puppet errors out due to a missing home directory when trying to create the authorized_keys file. The simple remedy is to login to the box and have the home directory created (su - username). However, I would like the ssh_authorized_key type to not fail but just give a notice. (home directory does not exist, skipping) therefore the reports don''t show errors and give misleading errors in the reports. > > > > ssh_authorized_key{ "billys key": > > > ensure => present, > > > key => ''billys sshkey'', > > > name => "super duper key", > > > type => ssh-rsa, > > > user =>"billy", > > > onlyif => "test -d /home/${user}" > > > } > > > > I am assuming that I can refer to the user with ${user} and that onlyif is a valid parameter. > > > > Is this possible? > > > Wouldn''t it be better to make sure the home directory does exist, as > > well as the ~/.ssh directory? > > > This is often accomplished by creating a defined resource type to > > contain all of the resources you need to manage to give you access to > > the system. > > > -- > > Jeff McCune > > Professional Services, Puppet Labs > > @0xEFF-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2011-Apr-27 14:01 UTC
Re: [Puppet Users] Re: ssh_authorized_key fails when home directory doesn''t exist
Hi, On 04/22/2011 07:50 PM, Corey Osman wrote:> Yes but if I am understanding you correctly I can''t just let puppet > own the required resources. The directories are created automatically > via PAM config upon initial login. I can''t define a user type or a > file type as I don''t know the UID.tricky. Am I right to assume that you don''t have half a mind to push your LDAP user maps to all your Linux boxes as duplicates using puppet?> ssh_authorized_key{ "billys key": > ensure => present, > key => ''billys sshkey'', > name => "super duper key", > type => ssh-rsa, > user =>"billy", > onlyif => "test -d /home/${user}" > } > I am assuming that I can refer to the user with ${user} and that > onlyif is a valid parameter.$user does, in fact, not work. I don''t see why you''d want it here though: "billy" is hardcoded, no need to make the "onlyif" condition generic.> Does every defined type have onlyif parameter built in?That would indeed be of great help here. A fugly workaround for the time being: Just let the keys fail. Set their "loglevel" param to "debug" so your logs don''t get cluttered by tons of failed key resources. Of course, you won''t notice actual actions anymore, either. But this may be of minor concern in this scenario. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.