通过 puppet 在单台机器上多次安装单个 SSH 密钥

Mic*_*yxí 5 ssh puppet

我想有一个地方为我的用户定义了 ssh 密钥。这些用户可以在单个服务器上担任不同(多个)角色。所以我将 ssh_authorized_key 定义为 virtual ,然后想在不同的角色中实现它们。例子:

@ssh_authorized_key {
    "user_a":
        tag     => ['deployer', 'developer', 'root'],
        key     => "xxx",
        type    => "ssh-dss",
        ensure  => present;
    "user_b":
        tag     => ['deployer', 'root'],
        key     => "yyy",
        type    => "ssh-dss",
        ensure  => present;
    "user_c":
        tag      => ['root', 'deployer'],
        key      => 'zzz',
        type => "ssh-rsa",
        ensure   => present;
}
Run Code Online (Sandbox Code Playgroud)

然后在单个节点上为多个用户实现它们:

Ssh_authorized_key<| tag == 'root' |> {
    user    => 'root'
}

Ssh_authorized_key<| tag == 'deployer' |> {
    user    => 'deployer'
}
Run Code Online (Sandbox Code Playgroud)

但是 puppet 只会为一个用户安装证书。我认为我的解决方案的主要概念是错误的。但我不知道如何为多个用户安装单个证书?

Pau*_*rop 2

您的解决方案的主要概念是错误的,这是正确的,但我认为它的错误远远早于您的怀疑。最佳做法是不要共享帐户;每个用户都应该有一个单独的帐户,并用于sudo执行需要备用权限的任务。如果您确实必须共享一个或多个帐户,请允许您的用户这样做sudo su - ACCOUNT,而不是直接以 ACCOUNT 身份登录。例如:

user { 'alice': groups => ['developer', 'deployer', 'root'] # other params... }
ssh_authorized_key { 'alice': #params }
Run Code Online (Sandbox Code Playgroud)

/etc/sudoers然后在您的(也希望由木偶管理!)中添加适当的条目:

# deployer group can run the deployment script without a password.
%deployer  ALL = NOPASSWD: /usr/local/bin/deploy
# developer group can run commands as 'developer'
%developer ALL = (developer) ALL
# or, if you actually *must* allow them to log in as 'developer'
%developer ALL = /usr/bin/su developer
Run Code Online (Sandbox Code Playgroud)