system administrator accounts

This is a puppet module used to create system administrator accounts.

Basic usage is:

include sysadm

sysadm::staff { "username":

login => "username",

uid => "uid",

cmt => "full username",

ensure => present,

lock => false,

}

Additional options:

home --> defaults to /home/$login (this is declared in the init.pp file)

gid --> defaults to 1100 (name of sysadm) (this is declared in the init.pp file)

shell --> defaults to "/bin/bash"

The "ensure" parameter is defaulted to "present", and may be the value of "absent".

The "lock" parameter is defaulted to "false", and may be the value of "true".

If ensure => absent, then the account is deleted from /etc/passwd & /etc/shadow and the entire $HOME is deleted.

If lock => true, then the account is locked (via usermod -L username), and the $HOME/.ssh directory is deleted.

If the account was previous locked, and is now set to lock => false, then the account is unlocked (via usermod -U username), and the .ssh keys for that user are restored.

NOTE: we ensure the group sysadm(1100) & wheel (80).

Some Linux distributions already declare wheel, Debian does not, so I declare it in the init.pp file.

We also use the pam_wheel.so module. So you must ensure that your /etc/pam.d/su file contains:

# Uncomment this if you want wheel members to be able to

# su without a password.

auth sufficient pam_wheel.so trust

NOTE: Ensure you ONLY put your admin accounts in the wheel group!

The module lives in /etc/puppet/modules/sysadm/

There is a single file, /etc/puppet/modules/sysadm/manifests/init.pp, that holds the definition.

The module will handle the distribution of the admin account ssh keys.

The ssh keys are kept in /etc/puppet/files/staff/keys/$username.

I have a companion program to generate staff keys:

/usr/global/bin/staff_keys:

#! /bin/bash

# vi:set nu ai ap aw smd showmatch tabstop=4 shiftwidth=4:

login=${1?must declare login name}

KEYS="/etc/puppet/files/staff/keys"

if [ -e ${KEYS}/$login/id_rsa ]

then

exit 0

else

mkdir -p ${KEYS}/$login

fi

ssh-keygen -t rsa -N '' -C "$login" -f "${KEYS}/$login/id_rsa"

cp ${KEYS}/$login/id_rsa.pub ${KEYS}/$login/authorized_keys

chown -R puppet:puppet ${KEYS}/$login

chmod -R 0700 ${KEYS}/$login

exit 0

You must run "staff_keys username" (on your puppetmaster server) prior to adding the staff definition in your puppet file. (whatever that might be, such as site.pp, or nodes.pp, etc).

This will create the RSA keys, and set the comment on the keys to the username.

And here is the /etc/puppet/modules/sysadm/manifests/init.pp file:

# /etc/puppet/modules/sysadm/manifests/init.pp

# vi:set nu ai ap aw smd showmatch tabstop=4 shiftwidth=4:

class sysadm {

group { "sysadm":

gid => 1100,

ensure => present,

}

group { "wheel":

gid => 80,

ensure => present,

}

define staff($login,$uid,$home="/home/$login",$gid="sysadm",$cmt,$shell="/bin/bash",$ensure="present",$lock=false) {

# create the user account

# added notify to execute an email program when account is created.

user { "$login":

uid => "$uid",

gid => "$gid",

groups => ['wheel'],

comment => "$cmt",

shell => "$shell",

managehome => true,

ensure => $ensure,

}

# declare a shortname for the source location of the keys

$src="puppet:///staff/keys/$login"

# check if the account is locked

case $lock {

true: {

# it's locked, so lock the account

exec { "usermod -L $login":

path => "/usr/sbin:/sbin:/usr/bin:/usr:/bin",

unless => 'egrep "^${login}:!.*:.*" /etc/shadow',

}

# and ensure the users ssh keys are removed

file { "$home/.ssh":

ensure => absent,

force => true,

}

}

# not locked

# must ensure that this is not a new user account.

false: {

# remove the account lock

exec { "usermod -U $login":

path => "/usr/sbin:/sbin:/usr/bin:/usr:/bin",

onlyif => 'egrep "${login}:!..*:.*:.*:.*:.*:.*:.*:.*:$" /etc/shadow',

}

}

}

# create or remove ssh keys

case $ensure {

present: {

# it's possible the account can be present & locked.

# if it's locked, we don't want to restore the keys.

if $lock == false {

file {

"$home/.ssh":

ensure => directory,

owner => $login,

group => $gid,

mode => 0700;

"$home/.ssh/id_rsa":

ensure => present,

owner => $login,

group => $gid,

mode => 0700,

source => "$src/id_rsa";

"$home/.ssh/id_rsa.pub":

ensure => present,

owner => $login,

group => $gid,

mode => 0700,

source => "$src/id_rsa.pub";

"$home/.ssh/authorized_keys":

ensure => present,

owner => $login,

group => $gid,

mode => 0700,

source => "$src/authorized_keys";

}

}

}

absent: {

file { "$home":

ensure => absent,

force => true,

}

}

}

}

}