Hi,
After extensively looking into puppet + augeas for managing the
AllowGroups in sshd_config, I came to the conclusion that it won't
work as I expected :( So I'm sharing my thoughts here.
The main objective is allowing multiple groups per-node, depending on
what the security team wants. Since I want this to be dynamic, I
created a define in a class:
class ssh::server::config inherits ssh::config {
define addallowgroup() {
augeas {
"sshd_conf_group_${name}":
context => "/files/etc/ssh/sshd_config",
require => File["/etc/ssh/sshd_config"],
notify => Service["sshd"],
changes => "set AllowGroups/*[last()+1] ${name}",
onlyif => " match AllowGroups/*[.='${name}'] size == 0";
}
}
}
Then on a node, I can use this:
node "webserver" {
ssh::server::config::addallowgroup { ["test1", "test2", "test3"]: }
}
Sadly, the "changes" and "onlyif" lines in the augeas type does not
work because the sshd_config's lens creates a unique node/label for
each option. Quoting Augeas' website:
"
http://augeas.net/page/Adding_nodes_to_the_tree
You can use a special trick to append to a list of nodes that all have
the same name, for example to append a new alias to an entry in
/etc/hosts:
set $hosts/1/alias[last()+1] myhost.example.com
The predicate [last()+1] forces set to create a new node. Of course,
after the node is created, it is now reachable as
$hosts/1/alias[last()]. It's important to remember that creating nodes
with set can only work if the labels for all the nodes that need to be
created are known explicitly. In particular, you can't add a new host
entry using something like set $hosts/*[last()+1]/ipaddr 192.168.0.1 —
there's no way for Augeas to know what the new node for *[last()+1]
should be called.
"
In the example on hosts, the "alias" label is already named. So I
can't think on adding another node/label dynamically.
The alternative could be creating one augeas type for each group and
using them on the nodes, like this:
augeas {
"sshd_conf_group_test1":
context => "/files/etc/ssh/sshd_config",
require => File["/etc/ssh/sshd_config"],
notify => Service["sshd"],
changes => "set AllowGroups/1 test1",
onlyif => " match AllowGroups/1[.='test1'] size == 0";
"sshd_conf_group_test2":
context => "/files/etc/ssh/sshd_config",
require => File["/etc/ssh/sshd_config"],
notify => Service["sshd"],
changes => "set AllowGroups/2 test2",
onlyif => " match AllowGroups/2[.='test2'] size == 0";
"sshd_conf_group_test1":
context => "/files/etc/ssh/sshd_config",
require => File["/etc/ssh/sshd_config"],
notify => Service["sshd"],
changes => "set AllowGroups/3 test3",
onlyif => " match AllowGroups/3[.='test3'] size == 0";
}
When we have much groups, this becomes very long :(
Anyone here have some idea for a good practice? :) Or maybe this is
just plain impossible.
Versions:
puppet-0.25.5
augeas-0.7.3
Thanks!
--
[]'s
Hugo
www.devin.com.br
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
