What about deploying the keys to /etc/skel? Would that be enough for what you
want?
On Feb 25, 2010, at 8:47 AM, Marcello de Sousa wrote:
> Hi Andrew,
>
>>> "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
>>> As far as I know this is not possible with puppet.
>>
>> Marcello, I want to understand your use case. AD and LDAP seem to be
>> fairly common in Puppet installations, and I'd like for ssh::auth to
>> work well with them. But I'm not that familiar with them.
>>
>> Are you saying that once a user is authorized for a host (or the whole
>> domain), the user exists on that host, but his/her home directory
>> doesn't, until they first log in?
>
> The user doesn't exactly "exist" on that host. The user and his group
> membership are 'visible' (via AD/ldap) and he might be authorized to login
> to that host. His homedir doesn't exist initially indeed.
>
>> When the user logs in, is his/her home directory automounted from a
> network share?
>
> No, although this might be possible.
> But this is not default and is not what I want now.
>
>> In that case, the place to deploy the ssh keys would be in the
>> user's home directory on the file server. Or, is the home directory
>> created locally on the host the first time the user logs in?
>
> Exactly.
>
>> It would seem to me that once a user is authorized for a host, you'd
>> want to create his/her ~/.ssh/authorized_keys right away, so they can log
> in
>> by ssh.
>> If you can explain the sequence of how users get created and
>> authorized and when their home directories get created, it would help
>> me to address the need.
>>
>> Andrew.
>
> Let me try to explain that:
> Based on a AD group membership I allow the users to login or not. If you
> don't configure that parameter on lwopen(Likewise-open) client ("require
> membership of") all domain users are allowed to login.
>
> Next to that Likewise-open uses a hash of your ActiveDirectory-UID/GID to
> generate your unix UID/GID.
> Once you login to the machine for the first time lwopen will create your
> homedir with the proper rights (proper hashed UID/GID and optionally
> domainname). For example and "ls -ln" would show some info like:
>
> drwxr-xr-x 953680985 953680385 /home/mydomain/myusername
>
> Next to that lwopen would create a .k5login on that directory to allow
> single sign on via Kerberos. That's one more reason I need lwopen doing that
> and not puppet.
>
> My whole lwopen configuration is deployed via puppet. On the machines that I
> login, after my homedir is properly created, I would like to be able to
> deploy my .ssh/authorized_keys as an alternative to Kerberos SSO. Btw,
> that's because Kerberos SSO has some issues, but that's off-topic. :)
>
> So what I need looks simple but surprisingly difficult to achieve:
>>> "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
>
> Is this enough info about the use case ? Ideas anyone ?
>
> Gr,
> Marcello
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
