|
#####################################################################################
|
|
# Copyright 2011 Normation SAS
|
|
#####################################################################################
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, Version 3.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
#####################################################################################
|
|
|
|
# Copyright (C) Normation
|
|
|
|
bundle agent check_ssh_key_distribution
|
|
{
|
|
|
|
vars:
|
|
|
|
any::
|
|
|
|
"technique_name" string => "sshKeyDistribution";
|
|
"component_name" string => "SSH key";
|
|
|
|
"config_basename" string => "authorized_keys";
|
|
|
|
"sshkey_distribution_tag[1]" string => "rudderc5 key";
|
|
"sshkey_distribution_tag[2]" string => "rudderc5 key";
|
|
"sshkey_distribution_tag[3]" string => "Flo key egal";
|
|
"sshkey_distribution_tag[4]" string => "Flo key Eden";
|
|
|
|
"sshkey_distribution_name[1]" string => "admpaulo";
|
|
"sshkey_distribution_name[2]" string => "admflo";
|
|
"sshkey_distribution_name[3]" string => "floh";
|
|
"sshkey_distribution_name[4]" string => "floh";
|
|
|
|
"sshkey_distribution_key[1]" string => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD2JSpRHgFp5zGllj/0WTzgQDW4CrjQPctKq1zftZRtnQkabRSo1pGXSUlSZW5CPBfuZ1Uqe9lp2c5A6Z+ro6eYdxhVqYYQOuiVAzsmv52/5zKrW9G6W7G30j4VS75c4S45kMd09I37Efz8zJSMhWTTN/LCqCAUWabCj3tPRYy+MA8MH4Um1+Hmb82O3r0LZz/yvh2ugXCM9sgUMkUGBH9+k5e9sVov3gZldLt09wWK/3YZivqdltYwktavgGLpN48FnmkLSzBKJn889FOBwZWe20D2rb7eOo41ZLRe0X9pyU3fru6C0fWcO8yi6zLgToKGB1pDK0PuXckleymyUDA/ root@rudderc5";
|
|
"sshkey_distribution_key[2]" string => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRgz5Yq/muFPHkRhVWvzgQ9v63gl2nPZM6TrySr6UrT+sDKB087T7squj9B866hGbba1Zx74VbeMrzISPh6/c4fZ3Cn3UVD28D6IEGxayT3CigWGZaK3HRcErOZmmNDUpjLNfoJxCBHcCC7aGkMFVyH4ouqsTeKqAbcZHAHLZSKnAW+1pfIDQ2cQa836907JIeblVzmLhm8o+/BJ844ACoHO8cvgfMjqzb0GL5LQA2b9PzdbZ2hR+ueRVLn1kdpRkK/Gh5laphAsJPsATGlcf+Hd+iwHozB50U3wqZ/5EVUynHSwEfD6aNPjjBFpKIKHFTAsis1IdfGS7xUJp73UfR root@rudderc5";
|
|
"sshkey_distribution_key[3]" string => "ssh-dss AAAAB3NzaC1kc3MAAACBAO8Qw6QEljvd3pe6HfemauQxPSfUkgkGTmTtWq6Q26q7z5QIr84b82ns5sPUJHZKHdEGYAwE7XcX2kM8yN38rGXYbHTYwEa1f5oPZDIobpQfphsknMfnpkJodVvFn6wXO33EIRHHf0aLGt4M96NOma5NsAAxJ/dGX7MEmfYDx0nHAAAAFQCydbjvKXLLW+0eDNB7o/wWmCBQgwAAAIA1Kr9CllpsTcdDNcdT1S9WMy7vdYZF/BF3x87C/CMq5P8b4J5HYYWMIEnLrlARxcxlGuxBomIAKsDuGoIEqtdX+Fn/LflmUwgDRPm+OWhhWi9Inz9NWlHTPAEoLonKVr2lzh+ZHq7CkZ1glAAHDyECLqSbfz0TKfJdAObuSHmi7gAAAIBD2X+L+MUF8pfudtVTHCrQBcFQJRIzYhVeWSd8WlDWvQynm05+6ttT8GkJRKJkOV38A2DwqcsvKGA+WvJk2NrqsEyfhGs6HSl1mc2pLGCgWd6SLfLwt1t7mhOR8ZgBWz5z0FqOllnPT0nUK159upBJQiuQqLAJUAOfnVu+z76z1w== floh@egal";
|
|
"sshkey_distribution_key[4]" string => "ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXf floh@home.local";
|
|
|
|
"sshkey_distribution_edit_type[1]" string => "true";
|
|
"sshkey_distribution_edit_type[2]" string => "false";
|
|
"sshkey_distribution_edit_type[3]" string => "false";
|
|
"sshkey_distribution_edit_type[4]" string => "false";
|
|
|
|
"sshkey_distribution_uuid[1]" string => "7b5e11f3-0836-45b4-9c2e-bf9b92a0c228@@2f4296e8-b356-4fa8-b140-1aea42e1a219@@15";
|
|
"sshkey_distribution_uuid[2]" string => "7b5e11f3-0836-45b4-9c2e-bf9b92a0c228@@2f4296e8-b356-4fa8-b140-1aea42e1a219@@15";
|
|
"sshkey_distribution_uuid[3]" string => "0cd4eae8-9b6b-44db-b5c7-cbb50fa4a814@@38751969-b949-4769-9987-66fdb15c7728@@25";
|
|
"sshkey_distribution_uuid[4]" string => "0cd4eae8-9b6b-44db-b5c7-cbb50fa4a814@@38751969-b949-4769-9987-66fdb15c7728@@25";
|
|
|
|
"sshkey_distribution_index"
|
|
slist => getindices("sshkey_distribution_name");
|
|
|
|
"no_${sshkey_distribution_index}"
|
|
int => parsestringarray("userarray_${sshkey_distribution_index}", "${userdata_${sshkey_distribution_index}}", "", ":", "1000", "200000" );
|
|
|
|
"key_class_prefix[${sshkey_distribution_index}]"
|
|
string => canonify("${sshkey_distribution_tag[${sshkey_distribution_index}]}_${sshkey_distribution_uuid[${sshkey_distribution_index}]}");
|
|
|
|
"homedir[${sshkey_distribution_index}]"
|
|
string => "${userarray_${sshkey_distribution_index}[${sshkey_distribution_name[${sshkey_distribution_index}]}][5]}";
|
|
|
|
# Only Linuxes (not Slackware), Solaris and FreeBSD support PAM/getent
|
|
(linux.!slackware)|solaris|freebsd::
|
|
|
|
"userdata_${sshkey_distribution_index}"
|
|
string => execresult("/usr/bin/getent passwd ${sshkey_distribution_name[${sshkey_distribution_index}]}", "noshell");
|
|
|
|
# On systems without PAM, directly read entries from /etc/passwd instead (compatibility)
|
|
!((linux.!slackware)|solaris|freebsd)::
|
|
|
|
"userdata_${sshkey_distribution_index}"
|
|
string => execresult("/usr/bin/grep ^${sshkey_distribution_name[${sshkey_distribution_index}]}: /etc/passwd", "noshell");
|
|
|
|
!SuSE::
|
|
"gid[${sshkey_distribution_index}]"
|
|
string => "${userarray_${sshkey_distribution_index}[${sshkey_distribution_name[${sshkey_distribution_index}]}][3]}";
|
|
|
|
SuSE::
|
|
"gid[${sshkey_distribution_index}]"
|
|
string => "users";
|
|
|
|
classes:
|
|
|
|
"begin_evaluation" expression => isvariable("sshkey_distribution_index");
|
|
|
|
begin_evaluation::
|
|
|
|
"user_${sshkey_distribution_index}_exists" expression => userexists("${sshkey_distribution_name[${sshkey_distribution_index}]}");
|
|
|
|
files:
|
|
|
|
!windows::
|
|
|
|
"${homedir[${sshkey_distribution_index}]}/.ssh/."
|
|
create => "true",
|
|
ifvarclass => canonify("user_${sshkey_distribution_index}_exists"),
|
|
perms => mog("700", "${sshkey_distribution_name[${sshkey_distribution_index}]}", "${gid[${sshkey_distribution_index}]}");
|
|
|
|
"${homedir[${sshkey_distribution_index}]}/.ssh/${config_basename}"
|
|
create => "true",
|
|
edit_defaults => rudder_empty_select("${sshkey_distribution_edit_type[${sshkey_distribution_index}]}"),
|
|
perms => mog("600", "${sshkey_distribution_name[${sshkey_distribution_index}]}", "${gid[${sshkey_distribution_index}]}"),
|
|
edit_line => append_or_replace_ssh_key("${sshkey_distribution_key[${sshkey_distribution_index}]}", "${sshkey_distribution_index}"),
|
|
ifvarclass => canonify("user_${sshkey_distribution_index}_exists"),
|
|
classes => rudder_common_classes("${key_class_prefix[${sshkey_distribution_index}]}");
|
|
|
|
methods:
|
|
|
|
!windows::
|
|
|
|
"SSH Key Report"
|
|
ifvarclass => "user_${sshkey_distribution_index}_exists",
|
|
usebundle => rudder_common_reports_generic(
|
|
"${technique_name}", "${key_class_prefix[${sshkey_distribution_index}]}",
|
|
"${sshkey_distribution_uuid[${sshkey_distribution_index}]}", "${component_name}", "${sshkey_distribution_tag[${sshkey_distribution_index}]}",
|
|
"SSH key \"${sshkey_distribution_tag[${sshkey_distribution_index}]}\" for user ${sshkey_distribution_name[${sshkey_distribution_index}]}"
|
|
);
|
|
|
|
"No User Exist Report"
|
|
ifvarclass => "!user_${sshkey_distribution_index}_exists",
|
|
usebundle => rudder_common_report(
|
|
"${technique_name}", "result_error",
|
|
"${sshkey_distribution_uuid[${sshkey_distribution_index}]}", "${component_name}", "${sshkey_distribution_tag[${sshkey_distribution_index}]}",
|
|
"The user ${sshkey_distribution_name[${sshkey_distribution_index}]} does NOT exist on this machine, not adding SSH key"
|
|
);
|
|
|
|
windows::
|
|
|
|
"No Windows Support Report"
|
|
usebundle => rudder_common_report(
|
|
"${technique_name}", "result_error",
|
|
"${sshkey_distribution_uuid[${sshkey_distribution_index}]}", "${component_name}", "${sshkey_distribution_tag[${sshkey_distribution_index}]}",
|
|
"Unable to add a SSH key for ${sshkey_distribution_name[${sshkey_distribution_index}]}: This Technique does not support Windows"
|
|
);
|
|
}
|
|
|
|
# authorized_keys file contains one line per key, in the following format:
|
|
# (optional-options\s)(<keytype>)\s(the_key=)(\soptional-comment)
|
|
# where
|
|
# - keytype is one of ssh-rsa or ssh-dss
|
|
# - key value ends with "="
|
|
# - no spaces are allowed in options, except in double-quoted strings
|
|
#
|
|
bundle edit_line append_or_replace_ssh_key(keyspec, index)
|
|
{
|
|
|
|
vars:
|
|
|
|
"dim_array" int => parsestringarrayidx("keybits", "${keyspec}", "\s*#[^\n]*", "\s+", 1, 8192);
|
|
|
|
"eline" string => escape("${keyspec}");
|
|
"ckey" string => canonify("${keybits[0][1]}");
|
|
"ekey" string => escape("${keybits[0][1]}");
|
|
|
|
insert_lines:
|
|
|
|
"${keyspec}"
|
|
# NOTE: this is only to ensure that insert is attempted *after* the replace,
|
|
# as normally insert step precedes the replace, see
|
|
# (https://cfengine.com/docs/3.5/manuals-language-concepts-normal-ordering.html)
|
|
ifvarclass => canonify("ssh_key_distribution_replace_step_attempted_${index}");
|
|
|
|
replace_patterns:
|
|
|
|
"^(?!${eline}$)(.*${ekey}.*)$"
|
|
comment => "Replace a key here",
|
|
replace_with => value("${keyspec}"),
|
|
ifvarclass => "key_parsed",
|
|
classes => always("ssh_key_distribution_replace_step_attempted_${index}");
|
|
|
|
}
|
|
|