1 |
boklm |
78 |
class restrictshell { |
2 |
misc |
406 |
class shell { |
3 |
misc |
408 |
file {"/etc/membersh-conf.d": |
4 |
|
|
ensure => directory, |
5 |
|
|
owner => root, |
6 |
|
|
group => root, |
7 |
|
|
mode => 755, |
8 |
|
|
} |
9 |
|
|
|
10 |
misc |
406 |
file { '/usr/local/bin/sv_membersh.pl': |
11 |
|
|
ensure => present, |
12 |
|
|
owner => root, |
13 |
|
|
group => root, |
14 |
|
|
mode => 755, |
15 |
|
|
content => template("restrictshell/sv_membersh.pl"), |
16 |
|
|
} |
17 |
boklm |
78 |
|
18 |
misc |
406 |
file { '/etc/membersh-conf.pl': |
19 |
|
|
ensure => present, |
20 |
|
|
owner => root, |
21 |
|
|
group => root, |
22 |
|
|
mode => 755, |
23 |
|
|
content => template("restrictshell/membersh-conf.pl"), |
24 |
|
|
} |
25 |
misc |
408 |
} |
26 |
|
|
|
27 |
|
|
class ssh_keys_from_ldap { |
28 |
boklm |
78 |
|
29 |
misc |
406 |
package { 'python-ldap': |
30 |
|
|
ensure => installed, |
31 |
|
|
} |
32 |
boklm |
78 |
|
33 |
misc |
406 |
$pubkeys_directory = "/var/lib/pubkeys" |
34 |
|
|
file { $pubkeys_directory: |
35 |
|
|
ensure => directory, |
36 |
|
|
owner => root, |
37 |
|
|
group => root, |
38 |
|
|
mode => 755, |
39 |
|
|
} |
40 |
misc |
262 |
|
41 |
misc |
435 |
file { "$pubkeys_directory/root": |
42 |
|
|
ensure => directory, |
43 |
|
|
owner => root, |
44 |
|
|
group => root, |
45 |
|
|
mode => 700, |
46 |
|
|
} |
47 |
|
|
|
48 |
|
|
file { "$pubkeys_directory/root/authorized_keys": |
49 |
|
|
ensure => "/root/.ssh/authorized_keys", |
50 |
|
|
mode => 700, |
51 |
|
|
} |
52 |
|
|
|
53 |
misc |
408 |
$ldap_pwfile = "/etc/ldap.secret" |
54 |
misc |
406 |
file { '/usr/local/bin/ldap-sshkey2file.py': |
55 |
|
|
ensure => present, |
56 |
|
|
owner => root, |
57 |
|
|
group => root, |
58 |
|
|
mode => 755, |
59 |
|
|
content => template("restrictshell/ldap-sshkey2file.py"), |
60 |
|
|
requires => Package['python-ldap'] |
61 |
|
|
} |
62 |
|
|
} |
63 |
misc |
262 |
|
64 |
misc |
408 |
define allow { |
65 |
|
|
include shell |
66 |
|
|
file { "/etc/membersh-conf.d/allow_$name.pl": |
67 |
|
|
ensure => "present", |
68 |
|
|
owner => root, |
69 |
|
|
group => root, |
70 |
|
|
mode => 755, |
71 |
|
|
content => "\$use_$name = 1;\n", |
72 |
|
|
} |
73 |
misc |
406 |
} |
74 |
misc |
408 |
|
75 |
|
|
# yes, we could directly use the allow, but this is |
76 |
|
|
# a nicer syntax |
77 |
|
|
class allow_git { |
78 |
|
|
allow{ "git": } |
79 |
|
|
} |
80 |
|
|
|
81 |
|
|
class allow_rsync { |
82 |
|
|
allow{ "rsync": } |
83 |
|
|
} |
84 |
|
|
|
85 |
|
|
class allow_pkgsubmit { |
86 |
|
|
allow{ "pkgsubmit": } |
87 |
|
|
} |
88 |
|
|
|
89 |
|
|
class allow_svn { |
90 |
|
|
allow{ "svn": } |
91 |
|
|
} |
92 |
misc |
409 |
|
93 |
|
|
class allow_scp { |
94 |
|
|
allow{ "scp": } |
95 |
|
|
} |
96 |
|
|
|
97 |
|
|
class allow_sftp { |
98 |
|
|
allow{ "sftp": } |
99 |
|
|
} |
100 |
|
|
# technically, we could add cvs too |
101 |
|
|
# but I doubt we will use it one day |
102 |
|
|
|
103 |
|
|
|
104 |
boklm |
78 |
} |