Allow changing ownership of authorized_keys file

[rndmh3ro]

With the latest changes I cannot set different (or the same) authorized_key_file for different users, because of https://github.com/deric/puppet-accounts/blob/master/manifests/authorized_keys.pp#L23-L30
This assumes that the directory containing the file should belong to the user for that file. However some german companies require the authorized_keys file to not be writable be the user itself, only by root (because of security reasons and traceability).

Here's the hiera config:

  user1:
    authorized_keys_file: '/etc/ssh/keys/user1_authorized_keys'
    comment: "user1"
    ssh_keys:
      'local_key':
        type: "ssh-rsa"
        key: "AAAB"
  user2:
    authorized_keys_file: '/etc/ssh/keys/user2_authorized_keys'
    comment: "user2"
    ssh_keys:
      'user2':
        type: "ssh-rsa"
        key: "AAAAB="

Thats the error:

Error: Duplicate declaration: File[/etc/ssh/keys] is already declared; cannot redeclare at /home/vagrant/modules/accounts/manifests/authorized_keys.pp:23 on node host1
Error: Duplicate declaration: File[/etc/ssh/keys] is already declared; cannot redeclare at /home/vagrant/modules/accounts/manifests/authorized_keys.pp:23 on node host1

I don't know the best way this could be solved or if its even in the scope of this module.

Maybe make user and group of the $ssh_dir configurable? Set it to root by default?
Maybe the easiest option: make managing the $ssh_dir through puppet optional, e.g. with manange_ssh_dir = false.

[deric]

I'm not sure if your configuration would work with standard sshd, typically ssh enforces quite strict policy about .ssh/authorized_keys file. That's the reason why there's chmod 0700 .ssh and chmod 0600 .ssh/authorized_keys. It works fine for standard installations.

I've added manage_ssh_dir parameter. We could also parametrize ownership of ssh dir.

The closest configuration I was able to run, is following:

accounts::users:
  user1:
    authorized_keys_file: '/etc/ssh/user1/user1_authorized_keys'
    comment: "user1"
    ssh_keys:
      'local_key':
        type: "ssh-rsa"
        key: "AAAB"
  user2:
    authorized_keys_file: '/etc/ssh/user2/user2_authorized_keys'
    comment: "user2"
    ssh_keys:
      'user2':
        type: "ssh-rsa"
        key: "AAAAB="

Otherwise puppet refuses to write authorized keys into same directory.

[rndmh3ro]

I'm not sure if your configuration would work with standard sshd

Yes, it does, I already did it this way. See also man sshd_config:

     AuthorizedKeysFile
             Specifies the file that contains the public keys that can be used for user authentication.  The format is described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
             AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup.  The following tokens are defined: %% is replaced by a literal '%', %h
             is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.  After expansion, AuthorizedKeysFile is taken to be an
             absolute path or one relative to the user's home directory.  Multiple files may be listed, separated by whitespace.  The default is “.ssh/authorized_keys
             .ssh/authorized_keys2”.

So in the /etc/ssh/sshd_config will be:

AuthorizedKeysFile /etc/ssh/keys/%u_authorized_keys

and then you can do it like I mentioned in the OP:
One authorized_keys file for every user where its keys are stored in.

I'll try it with the new option!

[rndmh3ro]

With the latest master-version and following config theres no duplicate problem anymore.

accounts::users:
  user2:
    authorized_keys_file: '/etc/ssh/authorized_keys_user2'
    comment: "foo"
    ssh_keys:
      'local_key_user2':
        type: "ssh-rsa"
        key: "AAAAAAAAAA"

  user1:
    authorized_keys_file: '/etc/ssh/authorized_keys_user1'
    comment: "foo"
    ssh_keys:
      'local_key_user1':
        type: "ssh-rsa"
        key: "AAAAAAAAAA"
  user3:
    authorized_keys_file: '/etc/ssh/authorized_keys_user3'
    comment: "foo"
    ssh_keys:
      'local_key_user3':
        type: "ssh-rsa"
        key: "AAAAAAAAAA"
  user4:
    authorized_keys_file: '/etc/ssh/authorized_keys_user4'
    comment: "foo"
    ssh_keys:
      'local_key_user4':
        type: "ssh-rsa"
        key: "AAAAAAAAAA"

But then this happens:

Notice: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Ssh_authorized_key[local_key_user2]/ensure: created
Error: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/authorized_keys_user2: Permission denied - /etc/ssh/authorized_keys_user2
Error: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Ssh_authorized_key[local_key_user2]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/authorized_keys_user2: Permission denied - /etc/ssh/authorized_keys_user2
Notice: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Ssh_authorized_key[mycard]/ensure: created
Error: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/authorized_keys_user2: Permission denied - /etc/ssh/authorized_keys_user2
Error: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Ssh_authorized_key[mycard]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/authorized_keys_user2: Permission denied - /etc/ssh/authorized_keys_user2
Notice: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Anchor[accounts::auth_keys_created_user2]: Dependency Ssh_authorized_key[mycard] has failures: true
Notice: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Anchor[accounts::auth_keys_created_user2]: Dependency Ssh_authorized_key[local_key_user2] has failures: true
Warning: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/Anchor[accounts::auth_keys_created_user2]: Skipping because of failed dependencies
Notice: /Stage[main]/Accounts/Accounts::User[user2]/Accounts::Authorized_keys[user2]/File[/etc/ssh/authorized_keys_user2]/ensure: created
Notice: /Stage[main]/Accounts/Accounts::User[user1]/Accounts::Authorized_keys[user1]/File[/etc/ssh/authorized_keys_user1]/ensure: created
Notice: /Stage[main]/Accounts/Accounts::User[user3]/Accounts::Authorized_keys[user3]/File[/etc/ssh/authorized_keys_user3]/ensure: created
Notice: /Stage[main]/Accounts/Accounts::User[user3]/Accounts::Authorized_keys[user3]/Ssh_authorized_key[local_key_user3]/ensure: created
Notice: /Stage[main]/Accounts/Accounts::User[user1]/Accounts::Authorized_keys[user1]/Ssh_authorized_key[local_key_user1]/ensure: created
Notice: /Stage[main]/Accounts/Accounts::User[user4]/Accounts::Authorized_keys[user4]/Ssh_authorized_key[local_key_user4]/ensure: created
Error: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/authorized_keys_user4: Permission denied - /etc/ssh/authorized_keys_user4
Error: /Stage[main]/Accounts/Accounts::User[user4]/Accounts::Authorized_keys[user4]/Ssh_authorized_key[local_key_user4]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/authorized_keys_user4: Permission denied - /etc/ssh/authorized_keys_user4
Notice: /Stage[main]/Accounts/Accounts::User[user4]/Accounts::Authorized_keys[user4]/Anchor[accounts::auth_keys_created_user4]: Dependency Ssh_authorized_key[local_key_user4] has failures: true
Warning: /Stage[main]/Accounts/Accounts::User[user4]/Accounts::Authorized_keys[user4]/Anchor[accounts::auth_keys_created_user4]: Skipping because of failed dependencies
Notice: /Stage[main]/Accounts/Accounts::User[user4]/Accounts::Authorized_keys[user4]/File[/etc/ssh/authorized_keys_user4]/ensure: created

This does not happen if I change the user to root on line 41 in authorized_keys here: https://github.com/deric/puppet-accounts/blob/master/manifests/authorized_keys.pp#L41

[deric]

Yeah, I run into the same issue yesterday. It seems to be feature of ssh_authorized_key, in case that the parent directory doesn't exist it will run chmod 0700 on the directory.

You might be able to bypass this if you would manage parent directory before creating accounts (I haven't found code that would be chmoding existing directory, but from the logs it looks like that).

So, we could introduce something like ssh_dir_owner parameter which would default to current user.

[deric]

@rndmh3ro try current version from master branch. It's a bit hacky approach as I had to bypass ssh_authorized_key resource, but with following configuration it seems to work:

classes:
  - '::accounts'
accounts::user_defaults:
  ssh_dir_owner: 'root'
  ssh_dir_group: 'root'
  manage_ssh_dir: false
accounts::users:
  user1:
    authorized_keys_file: '/etc/ssh/user1_authorized_keys'
    comment: "user1"
    ssh_keys:
      'local_key':
        type: "ssh-rsa"
        key: "AAAB"
  user2:
    authorized_keys_file: '/etc/ssh/user2_authorized_keys'
    comment: "user2"
    ssh_keys:
      'user2':
        type: "ssh-rsa"
        key: "AAAAB="

[rndmh3ro]

That works perfectly!

Thanks for taking the time to help me here!

[deric]

Good. You're welcome. I'll update the documentation and then it should be ready for new release.