Or you could configure sshd to look for authorized keys some place other than the user's home directory. For example:
AuthorizedKeysFile /etc/ssh/keys/%u
And then have your recipe populate that directory…
Joe
On Jul 31, 2014, at 12:37 PM, Douglas Garstang <
">
> wrote: AJ,
There home directories are being created by LDAP and PAM on first login. However, that does not handle the setup of the ssh authorized keys file. For select users, I wanted chef to create the home directories, with the correct uid and gid pulled from LDAP, and then pull the ssh public key from a data bag and drop it into their home directory. Obviously, the LDAP recipe has to run first in the run list. This should be pretty simple.
My latest attempt, based on your suggestion, is not working however. I believe the uid and gid are correct (although I can't print them because that causes it to fail. How do I print lazy variables? I tried using lazy in the log statement and it failed), but I can't verify because I can't print. When the recipe has run, /home/doug is owned by root.root.
Doug # recipe
include_recipe "foo-ldap" bag = data_bag("ssh-keys")
for item in bag do user = data_bag_item('ssh-keys', item) user_name = user['id'] directory "/home/#{user_name}" do owner lazy { ShellGetent.uid "#{user_name}" }
group lazy { ShellGetent.gid "#{user_name}" } end
end
# library:
class ShellGetent include Chef::Mixin::ShellOut
class << self def uid(username) return if username.nil? || username.empty? x = new.getent(:passwd, username)[2]
end
def gid(username) return if username.nil? || username.empty? new.getent(:passwd, username)[3] end end
# Returns a new slice of parts of the output. Maybe make a struct or something? Be creative!
def getent(type, name) return unless %w(passwd).include?(type.to_s) cmd = shell_out!("getent #{type.to_s} #{name}") cmd.stdout.split(":") end
end
|