from what I can tell, this is almost a great idea, except that by using the command="/usr/sbin/puppetca", we would be ignoring any command passed to the ssh session. The best I can figure there would be no way to restrict the ssh session to just the puppetca command and pass the certname to the server to get cleaned up.
I really like the idea of the client sending a request to clean its own cert, but I don't see how it can work using ssh and still have a secure server. Alternatively, I'm thinking the client script could send an http request (via CURL) to to server. The server then has a simple PHP script that writes the sender's hostname to a file on the server with the hostname as the name of the file. A launchd job simply watches the dir where the files are written and executes a command to clean the cert and delete the file. A little more complicated, but much more secure. --- Thanks, Allan Marcus 505-667-5666 On Jul 2, 2009, at 10:24 AM, Michael Semcheski wrote: > > On Thu, Jul 2, 2009 at 12:21 PM, Allan Marcus<[email protected]> wrote: >> Would I need to write a bunch of fugly stuff in my sshd_config to >> limit what the puppet user can do via the ssh command? any examples? > > You put the client's key in /root/.ssh/authorized_keys. All you need > to do is prepend this to it: > > command="/usr/sbin/puppetca",no-pty,no-port-forwarding > > Check the documentation for your version of sshd to be sure. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
