1body common control
2{
3    bundlesequence => { "autorun_ssh_key_distribution" };
4    inputs => { "$(sys.libdir)/stdlib.cf" };
5}
6
7bundle common ssh_key_info
8{
9  meta:
10    "description"
11      string => "This bundle defines common ssh key information, like which
12                 directory and server keys should be sourced from.";
13
14  vars:
15    "key_server" string => "$(sys.policy_hub)";
16
17    # We set the path to the repo in a common bundle so that we can reference
18    # the same path when defining access rules and when copying files.
19    # This directory is expected to contain one file for each users authorized
20    # keys, named for the username. For example: /srv/ssh_authorized_keys/kelly
21    "repo_path" string => "/srv/ssh_authorized_keys";
22}
23
24bundle agent autorun_ssh_key_distribution
25{
26  meta:
27    # Here we simply tag the bundle for use with the `services_autorun`
28    # feature.
29    "tags" slist => { "autorun" };
30
31  vars:
32    "users" slist => { "bob", "frank", "kelly" };
33
34  methods:
35    "Distribute SSH Keys"
36      usebundle => ssh_key_distribution( $(users) ),
37      if => userexists( $(users) ),
38      comment => "It's important that we make sure each of these users
39                  ssh_authorized_keys file has the correct content and
40                  permissions so that they can successfully log in, if
41                  the user exists on the executing agents host.";
42}
43
44bundle agent ssh_key_distribution(users)
45{
46  meta:
47    "description"
48      string => "Ensure that specified users are able to log in using their ssh
49                 keys";
50  vars:
51    # We get the users UID so that we can set permission appropriately
52    "uid[$(users)]" int =>  getuid( $(users) );
53
54  files:
55    "/home/$(users)/.ssh/."
56      create => "true",
57      perms => mo( 700, "$(uid[$(users)])"),
58      comment => "It is important to set the proper restrictive permissions and
59                  ownership so that the ssh authorized_keys feature works
60                  correctly.";
61
62    "/home/$(users)/.ssh/authorized_keys"
63      perms => mo( 600, "$(uid[$(users)])" ),
64      copy_from => remote_dcp( "$(ssh_key_info.repo_path)/$(users)",
65                               $(ssh_key_info.key_server) ),
66      comment => "We centrally manage and users authorized keys. We source each
67                  users complete authorized_keys file from the central server.";
68}
69
70
71bundle server ssh_key_access_rules
72{
73  meta:
74    "description"
75      string => "This bundle handles sharing the directory where ssh keys
76                 are distributed from.";
77
78  access:
79    # Only hosts with class `policy_server` should share the path to ssh
80    # authorized_keys
81    policy_server::
82      "$(ssh_key_info.repo_path)"
83        admit => { @(def.acl) },
84        comment => "We share the ssh authorized keys with all authorized
85                    hosts.";
86}
87