Rudder

<TECHNIQUE name="SSH keys removal">

<DESCRIPTION>This technique will check if the specified SSH keys are NOT present in the user's configuration.

It could be used to remove deprecated keys or the personal keys of retired users from the configuration.

</DESCRIPTION>

<COMPATIBLE>

<OS version=">= 4 (Etch)">Debian</OS>

<OS version=">= 4 (Nahant)">RHEL / CentOS</OS>

<OS version=">= 10 SP1 (Agama Lizard)">SuSE LES / DES / OpenSuSE</OS>

<AGENT version=">= 3.5.3">cfengine-community</AGENT>

</COMPATIBLE>

<MULTIINSTANCE>true</MULTIINSTANCE>

<BUNDLES>

<NAME>rudder_disable_ssh_keys</NAME>

</BUNDLES>

<TMLS>

<TML name="sshKeyDisable"/>

</TMLS>

<!-- Policy Instance Settings -->

<TRACKINGVARIABLE>

<SAMESIZEAS>SSH_DISABLE_KEY_TAG</SAMESIZEAS>

</TRACKINGVARIABLE>

<SECTIONS>

<SECTION name="Global Settings">

<INPUT>

<NAME>SSH_DISABLE_KEY_CONFIG_BASENAME</NAME>

<DESCRIPTION>Basename of configuration file holding keys enabled for the user</DESCRIPTION>

<CONSTRAINT>

<MAYBEEMPTY>false</MAYBEEMPTY>

<TYPE>string</TYPE>

<DEFAULT>authorized_keys</DEFAULT>

</CONSTRAINT>

<UNIQUEVARIABLE>true</UNIQUEVARIABLE>

</INPUT>

</SECTION>

<SECTION name="SSH key" multivalued="true" component="true" componentKey="SSH_DISABLE_KEY_TAG">

<INPUT>

<NAME>SSH_DISABLE_KEY_TAG</NAME>

<DESCRIPTION>Enter a tag to track this key in reports, i.e. "Legacy Key #1" or "Retired User Key"</DESCRIPTION>

<CONSTRAINT>

<MAYBEEMPTY>false</MAYBEEMPTY>

<TYPE>string</TYPE>

</CONSTRAINT>

</INPUT>

<INPUT>

<NAME>SSH_DISABLE_KEY_USERNAME</NAME>

<DESCRIPTION>Which user do you want to remove the key from</DESCRIPTION>

<CONSTRAINT>

<TYPE>string</TYPE>

</CONSTRAINT>

</INPUT>

<INPUT>

<NAME>SSH_DISABLE_KEY_KEYSPEC</NAME>

<DESCRIPTION>Which key do you want to remove</DESCRIPTION>

<CONSTRAINT>

<TYPE>textarea</TYPE>

</CONSTRAINT>

</INPUT>

</SECTION>

</SECTIONS>

</TECHNIQUE>