1body common control 2{ 3 bundlesequence => { "autorun_ssh_key_distribution" }; 4 inputs => { "$(sys.libdir)/stdlib.cf" }; 5} 6 7bundle common ssh_key_info 8{ 9 meta: 10 "description" 11 string => "This bundle defines common ssh key information, like which 12 directory and server keys should be sourced from."; 13 14 vars: 15 "key_server" string => "$(sys.policy_hub)"; 16 17 # We set the path to the repo in a common bundle so that we can reference 18 # the same path when defining access rules and when copying files. 19 # This directory is expected to contain one file for each users authorized 20 # keys, named for the username. For example: /srv/ssh_authorized_keys/kelly 21 "repo_path" string => "/srv/ssh_authorized_keys"; 22} 23 24bundle agent autorun_ssh_key_distribution 25{ 26 meta: 27 # Here we simply tag the bundle for use with the `services_autorun` 28 # feature. 29 "tags" slist => { "autorun" }; 30 31 vars: 32 "users" slist => { "bob", "frank", "kelly" }; 33 34 methods: 35 "Distribute SSH Keys" 36 usebundle => ssh_key_distribution( $(users) ), 37 if => userexists( $(users) ), 38 comment => "It's important that we make sure each of these users 39 ssh_authorized_keys file has the correct content and 40 permissions so that they can successfully log in, if 41 the user exists on the executing agents host."; 42} 43 44bundle agent ssh_key_distribution(users) 45{ 46 meta: 47 "description" 48 string => "Ensure that specified users are able to log in using their ssh 49 keys"; 50 vars: 51 # We get the users UID so that we can set permission appropriately 52 "uid[$(users)]" int => getuid( $(users) ); 53 54 files: 55 "/home/$(users)/.ssh/." 56 create => "true", 57 perms => mo( 700, "$(uid[$(users)])"), 58 comment => "It is important to set the proper restrictive permissions and 59 ownership so that the ssh authorized_keys feature works 60 correctly."; 61 62 "/home/$(users)/.ssh/authorized_keys" 63 perms => mo( 600, "$(uid[$(users)])" ), 64 copy_from => remote_dcp( "$(ssh_key_info.repo_path)/$(users)", 65 $(ssh_key_info.key_server) ), 66 comment => "We centrally manage and users authorized keys. We source each 67 users complete authorized_keys file from the central server."; 68} 69 70 71bundle server ssh_key_access_rules 72{ 73 meta: 74 "description" 75 string => "This bundle handles sharing the directory where ssh keys 76 are distributed from."; 77 78 access: 79 # Only hosts with class `policy_server` should share the path to ssh 80 # authorized_keys 81 policy_server:: 82 "$(ssh_key_info.repo_path)" 83 admit => { @(def.acl) }, 84 comment => "We share the ssh authorized keys with all authorized 85 hosts."; 86} 87