system administrator accounts
This is a puppet module used to create system administrator accounts.
Basic usage is:
include sysadm
sysadm::staff { "username":
login => "username",
uid => "uid",
cmt => "full username",
ensure => present,
lock => false,
}
Additional options:
home --> defaults to /home/$login (this is declared in the init.pp file)
gid --> defaults to 1100 (name of sysadm) (this is declared in the init.pp file)
shell --> defaults to "/bin/bash"
The "ensure" parameter is defaulted to "present", and may be the value of "absent".
The "lock" parameter is defaulted to "false", and may be the value of "true".
If ensure => absent, then the account is deleted from /etc/passwd & /etc/shadow and the entire $HOME is deleted.
If lock => true, then the account is locked (via usermod -L username), and the $HOME/.ssh directory is deleted.
If the account was previous locked, and is now set to lock => false, then the account is unlocked (via usermod -U username), and the .ssh keys for that user are restored.
NOTE: we ensure the group sysadm(1100) & wheel (80).
Some Linux distributions already declare wheel, Debian does not, so I declare it in the init.pp file.
We also use the pam_wheel.so module. So you must ensure that your /etc/pam.d/su file contains:
# Uncomment this if you want wheel members to be able to
# su without a password.
auth sufficient pam_wheel.so trust
NOTE: Ensure you ONLY put your admin accounts in the wheel group!
The module lives in /etc/puppet/modules/sysadm/
There is a single file, /etc/puppet/modules/sysadm/manifests/init.pp, that holds the definition.
The module will handle the distribution of the admin account ssh keys.
The ssh keys are kept in /etc/puppet/files/staff/keys/$username.
I have a companion program to generate staff keys:
/usr/global/bin/staff_keys:
#! /bin/bash
# vi:set nu ai ap aw smd showmatch tabstop=4 shiftwidth=4:
login=${1?must declare login name}
KEYS="/etc/puppet/files/staff/keys"
if [ -e ${KEYS}/$login/id_rsa ]
then
exit 0
else
mkdir -p ${KEYS}/$login
fi
ssh-keygen -t rsa -N '' -C "$login" -f "${KEYS}/$login/id_rsa"
cp ${KEYS}/$login/id_rsa.pub ${KEYS}/$login/authorized_keys
chown -R puppet:puppet ${KEYS}/$login
chmod -R 0700 ${KEYS}/$login
exit 0
You must run "staff_keys username" (on your puppetmaster server) prior to adding the staff definition in your puppet file. (whatever that might be, such as site.pp, or nodes.pp, etc).
This will create the RSA keys, and set the comment on the keys to the username.
And here is the /etc/puppet/modules/sysadm/manifests/init.pp file:
# /etc/puppet/modules/sysadm/manifests/init.pp
# vi:set nu ai ap aw smd showmatch tabstop=4 shiftwidth=4:
class sysadm {
group { "sysadm":
gid => 1100,
ensure => present,
}
group { "wheel":
gid => 80,
ensure => present,
}
define staff($login,$uid,$home="/home/$login",$gid="sysadm",$cmt,$shell="/bin/bash",$ensure="present",$lock=false) {
# create the user account
# added notify to execute an email program when account is created.
user { "$login":
uid => "$uid",
gid => "$gid",
groups => ['wheel'],
comment => "$cmt",
shell => "$shell",
managehome => true,
ensure => $ensure,
}
# declare a shortname for the source location of the keys
$src="puppet:///staff/keys/$login"
# check if the account is locked
case $lock {
true: {
# it's locked, so lock the account
exec { "usermod -L $login":
path => "/usr/sbin:/sbin:/usr/bin:/usr:/bin",
unless => 'egrep "^${login}:!.*:.*" /etc/shadow',
}
# and ensure the users ssh keys are removed
file { "$home/.ssh":
ensure => absent,
force => true,
}
}
# not locked
# must ensure that this is not a new user account.
false: {
# remove the account lock
exec { "usermod -U $login":
path => "/usr/sbin:/sbin:/usr/bin:/usr:/bin",
onlyif => 'egrep "${login}:!..*:.*:.*:.*:.*:.*:.*:.*:$" /etc/shadow',
}
}
}
# create or remove ssh keys
case $ensure {
present: {
# it's possible the account can be present & locked.
# if it's locked, we don't want to restore the keys.
if $lock == false {
file {
"$home/.ssh":
ensure => directory,
owner => $login,
group => $gid,
mode => 0700;
"$home/.ssh/id_rsa":
ensure => present,
owner => $login,
group => $gid,
mode => 0700,
source => "$src/id_rsa";
"$home/.ssh/id_rsa.pub":
ensure => present,
owner => $login,
group => $gid,
mode => 0700,
source => "$src/id_rsa.pub";
"$home/.ssh/authorized_keys":
ensure => present,
owner => $login,
group => $gid,
mode => 0700,
source => "$src/authorized_keys";
}
}
}
absent: {
file { "$home":
ensure => absent,
force => true,
}
}
}
}
}