| 1 |
boklm |
78 |
class restrictshell { |
| 2 |
misc |
406 |
class shell { |
| 3 |
misc |
408 |
file {"/etc/membersh-conf.d": |
| 4 |
|
|
ensure => directory, |
| 5 |
|
|
owner => root, |
| 6 |
|
|
group => root, |
| 7 |
|
|
mode => 755, |
| 8 |
|
|
} |
| 9 |
|
|
|
| 10 |
misc |
406 |
file { '/usr/local/bin/sv_membersh.pl': |
| 11 |
|
|
ensure => present, |
| 12 |
|
|
owner => root, |
| 13 |
|
|
group => root, |
| 14 |
|
|
mode => 755, |
| 15 |
|
|
content => template("restrictshell/sv_membersh.pl"), |
| 16 |
|
|
} |
| 17 |
boklm |
78 |
|
| 18 |
misc |
406 |
file { '/etc/membersh-conf.pl': |
| 19 |
|
|
ensure => present, |
| 20 |
|
|
owner => root, |
| 21 |
|
|
group => root, |
| 22 |
|
|
mode => 755, |
| 23 |
|
|
content => template("restrictshell/membersh-conf.pl"), |
| 24 |
|
|
} |
| 25 |
misc |
408 |
} |
| 26 |
|
|
|
| 27 |
|
|
class ssh_keys_from_ldap { |
| 28 |
boklm |
78 |
|
| 29 |
misc |
406 |
package { 'python-ldap': |
| 30 |
|
|
ensure => installed, |
| 31 |
|
|
} |
| 32 |
boklm |
78 |
|
| 33 |
misc |
406 |
$pubkeys_directory = "/var/lib/pubkeys" |
| 34 |
|
|
file { $pubkeys_directory: |
| 35 |
|
|
ensure => directory, |
| 36 |
|
|
owner => root, |
| 37 |
|
|
group => root, |
| 38 |
|
|
mode => 755, |
| 39 |
|
|
} |
| 40 |
misc |
262 |
|
| 41 |
misc |
435 |
file { "$pubkeys_directory/root": |
| 42 |
|
|
ensure => directory, |
| 43 |
|
|
owner => root, |
| 44 |
|
|
group => root, |
| 45 |
|
|
mode => 700, |
| 46 |
|
|
} |
| 47 |
|
|
|
| 48 |
|
|
file { "$pubkeys_directory/root/authorized_keys": |
| 49 |
|
|
ensure => "/root/.ssh/authorized_keys", |
| 50 |
|
|
mode => 700, |
| 51 |
|
|
} |
| 52 |
|
|
|
| 53 |
misc |
408 |
$ldap_pwfile = "/etc/ldap.secret" |
| 54 |
misc |
406 |
file { '/usr/local/bin/ldap-sshkey2file.py': |
| 55 |
|
|
ensure => present, |
| 56 |
|
|
owner => root, |
| 57 |
|
|
group => root, |
| 58 |
|
|
mode => 755, |
| 59 |
|
|
content => template("restrictshell/ldap-sshkey2file.py"), |
| 60 |
|
|
requires => Package['python-ldap'] |
| 61 |
|
|
} |
| 62 |
|
|
} |
| 63 |
misc |
262 |
|
| 64 |
misc |
408 |
define allow { |
| 65 |
|
|
include shell |
| 66 |
|
|
file { "/etc/membersh-conf.d/allow_$name.pl": |
| 67 |
|
|
ensure => "present", |
| 68 |
|
|
owner => root, |
| 69 |
|
|
group => root, |
| 70 |
|
|
mode => 755, |
| 71 |
|
|
content => "\$use_$name = 1;\n", |
| 72 |
|
|
} |
| 73 |
misc |
406 |
} |
| 74 |
misc |
408 |
|
| 75 |
|
|
# yes, we could directly use the allow, but this is |
| 76 |
|
|
# a nicer syntax |
| 77 |
|
|
class allow_git { |
| 78 |
|
|
allow{ "git": } |
| 79 |
|
|
} |
| 80 |
|
|
|
| 81 |
|
|
class allow_rsync { |
| 82 |
|
|
allow{ "rsync": } |
| 83 |
|
|
} |
| 84 |
|
|
|
| 85 |
|
|
class allow_pkgsubmit { |
| 86 |
|
|
allow{ "pkgsubmit": } |
| 87 |
|
|
} |
| 88 |
|
|
|
| 89 |
|
|
class allow_svn { |
| 90 |
|
|
allow{ "svn": } |
| 91 |
|
|
} |
| 92 |
misc |
409 |
|
| 93 |
|
|
class allow_scp { |
| 94 |
|
|
allow{ "scp": } |
| 95 |
|
|
} |
| 96 |
|
|
|
| 97 |
|
|
class allow_sftp { |
| 98 |
|
|
allow{ "sftp": } |
| 99 |
|
|
} |
| 100 |
|
|
# technically, we could add cvs too |
| 101 |
|
|
# but I doubt we will use it one day |
| 102 |
|
|
|
| 103 |
|
|
|
| 104 |
boklm |
78 |
} |
Parent Directory
| 
Revision Log