我想有一个地方为我的用户定义了 ssh 密钥。这些用户可以在单个服务器上担任不同(多个)角色。所以我将 ssh_authorized_key 定义为 virtual ,然后想在不同的角色中实现它们。例子:
@ssh_authorized_key {
"user_a":
tag => ['deployer', 'developer', 'root'],
key => "xxx",
type => "ssh-dss",
ensure => present;
"user_b":
tag => ['deployer', 'root'],
key => "yyy",
type => "ssh-dss",
ensure => present;
"user_c":
tag => ['root', 'deployer'],
key => 'zzz',
type => "ssh-rsa",
ensure => present;
}
然后在单个节点上为多个用户实现它们:
Ssh_authorized_key<| tag == 'root' |> {
user => 'root'
}
Ssh_authorized_key<| tag == 'deployer' |> {
user => 'deployer'
}
但是 puppet 只会为一个用户安装证书。我认为我的解决方案的主要概念是错误的。但我不知道如何为多个用户安装单个证书?
您的解决方案的主要概念是错误的,这是正确的,但我认为它的错误远远早于您的怀疑。最佳做法是不要共享帐户;每个用户都应该有一个单独的帐户,并用于sudo执行需要备用权限的任务。如果您确实必须共享一个或多个帐户,请允许您的用户这样做sudo su - ACCOUNT,而不是直接以 ACCOUNT 身份登录。例如:
user { 'alice': groups => ['developer', 'deployer', 'root'] # other params... }
ssh_authorized_key { 'alice': #params }
/etc/sudoers然后在您的(也希望由木偶管理!)中添加适当的条目:
# deployer group can run the deployment script without a password.
%deployer ALL = NOPASSWD: /usr/local/bin/deploy
# developer group can run commands as 'developer'
%developer ALL = (developer) ALL
# or, if you actually *must* allow them to log in as 'developer'
%developer ALL = /usr/bin/su developer
| 归档时间: |
|
| 查看次数: |
991 次 |
| 最近记录: |