Added support to manage ssh certificates

47211d06 · Carlos Perelló Marín · 6e418aa9 · 47211d06 · 47211d06 · 47211d06
Commit 47211d06 authored 11 years ago by Carlos Perelló Marín
--- a/LICENSE
+++ b/LICENSE
-   Copyright (c) 2013 Salt Stack Formulas
+   Copyright (c) 2013-2014 Salt Stack Formulas
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.

--- a/README.rst
+++ b/README.rst
@@ -18,20 +18,26 @@ Available states
 Installs the ``openssh`` server package and service.
-``openssh.config``
+``openssh.auth``
+-----------
+Manages SSH certificates for users.
+``openssh.banner``
 ------------------
-Installs the ssh daemon configuration file included in this formula
+Installs a banner that users see when SSH-ing in.
-(under "openssh/files"). This configuration file is populated
-by values from pillar. ``pillar.example`` results in the generation
-of the default ``sshd_config`` file on Debian Wheezy.
 ``openssh.client``
 ------------------
 Installs the openssh client package.
-``openssh.banner``
+``openssh.config``
 ------------------
-Installs a banner that users see when SSH-ing in.
+Installs the ssh daemon configuration file included in this formula
+(under "openssh/files"). This configuration file is populated
+by values from pillar. ``pillar.example`` results in the generation
+of the default ``sshd_config`` file on Debian Wheezy.
--- a/openssh/auth.sls
+++ b/openssh/auth.sls
+include:
+  - openssh
+{% from "openssh/map.jinja" import openssh with context %}
+{% set openssh_pillar = pillar.get('openssh', {}) %}
+{% set auth = openssh_pillar.get('auth', {}) %}
+{% for user,keys in auth.items() -%}
+  {% for key in keys -%}
+    {% if 'present' in key and key['present'] %}
+{{ key['name'] }}:
+  ssh_auth.present:
+    - user: {{ user }}
+      {% if 'source' in key %}
+    - source: {{ key['source'] }}
+      {% else %}
+        {% if 'enc' in key %}
+    - enc: {{ key['enc'] }}
+        {% endif %}
+        {% if 'comment' in key %}
+    - comment: {{ key['comment'] }}
+        {% endif %}
+        {% if 'options' in key %}
+    - options: {{ key['options'] }}
+        {% endif %}
+      {% endif %}
+    - require:
+      - service: {{ openssh.service }}
+    {% else %}
+{{ key['name'] }}:
+  ssh_auth.absent:
+    - user: {{ user }}
+      {% if 'enc' in key %}
+    - enc: {{ key['enc'] }}
+      {% endif %}
+      {% if 'comment' in key %}
+    - comment: {{ key['comment'] }}
+      {% endif %}
+      {% if 'options' in key %}
+    - options: {{ key['options'] }}
+      {% endif %}
+    {% endif %}
+  {% endfor %}
+{% endfor %}
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
-{% set sshd_config = pillar.get('sshd_config', {}) %}
+{% set openssh_pillar = pillar.get('openssh', {}) %}
+{% set sshd_config = openssh_pillar.get('sshd_config', {}) %}
 # This file is managed by salt. Manual changes risk being overwritten.
 # The contents of the original sshd_config are kept on the bottom for

--- a/pillar.example
+++ b/pillar.example
+openssh:
  sshd_config:
    Port: 22
    Protocol: 2
@@ -28,3 +29,15 @@ sshd_config:
    AcceptEnv: "LANG LC_*"
    Subsystem: "sftp /usr/lib/openssh/sftp-server"
    UsePAM: yes
+  auth:
+    joe:
+      - name: JOE_VALID_SSH_PUBLIC_KEY
+        present: True
+        enc: ssh-rsa
+        comment: main key
+      - name: JOE_NON_VALID_SSH_PUBLIC_KEY
+        present: False
+        enc: ssh-rsa
+        comment: obsolete key - removed