[chef] Re: Creating authorized_keys for LDAP users.

[Mark Harrison < >]

Your issue is due to the fact that when you loop through the ssh keys,
you are creating an execute resource with the same name multiple
times, and each one is overwriting the other. Every resource must be
uniquely named, and you would have to notify them all.

If you don't want to use a template as suggested elsewhere (a template
is the best way provided you don't need to support people adding their
own keys), then I would suggest building a variable containing all
keys and writing them in a single execute resource. Something like the
following (untested) code:

execute "install_public_rsa_#{user_name}" do
  command "su - #{user_name} -c \"echo '#{ssh_keys.join("\n")}' >>
/home/#{user_name}/.ssh/authorized_keys\""
  action :nothing
end

(and don't have the ssh_keys.each_with_index block at all).

On Mon, Jan 26, 2015 at 5:29 PM, Douglas Garstang
<
 >
 wrote:
> I'm having trouble setting up users authorized keys. A cookbook that runs
> earlier in the runlist sets up LDAP. However, due to reasons I don't
> understand, none of that user information is available during the chef run.
> I previously posted about this once before. As a result, I can't simply
> create files and directories and use 'owner' and 'group.
>
> I came up with the below idea. I'm iterating over the ssh keys in a data bag
> and then for each user running a command as this user. That makes PAM do all
> the home directory setup for me. I create the ~/.ssh directory in a similar
> fashion, as the user. All works ok. However, I'm having an issue with adding
> the array of ssh_keys pulled from the data bag to the users authorized keys
> file.
>
> include_recipe "slice-ldap"
> bag = data_bag("ssh-keys")
> for item in bag do
>   user = data_bag_item('ssh-keys', item)
>   user_name = user['id']
>   ssh_keys = user['ssh_keys']
>   execute "create_home_#{user_name}" do
>     command "su - #{user_name} -c \"ls\""
>     creates "/home/#{user_name}"
>     notifies :run, "execute[create_ssh_dir_#{user_name}]", :immediately
>   end
>   execute "create_ssh_dir_#{user_name}" do
>     command "su - #{user_name} -c \"mkdir /home/#{user_name}/.ssh\""
>     notifies :run, "execute[install_public_rsa_#{user_name}]", :immediately
>     creates "/home/#{user_name}/.ssh"
>   end
>   ssh_keys.each_with_index do |k, index|
>     log "k = #{k}"
>     execute "install_public_rsa_#{user_name}" do
>       command "su - #{user_name} -c \"echo '#{k}' >>
> /home/#{user_name}/.ssh/authorized_keys\""
>       action :nothing
>     end
>   end
> end
>
> However, I'm having an issue with adding the array of ssh_keys pulled from
> the data bag to the users authorized keys file. The loop at the end does
> this, but chef also gives me this warning:
>
> ==> default: [2015-01-26T22:23:47+00:00] WARN: Previous
> execute[install_public_rsa_doug]:
> /tmp/vagrant-chef-3/chef-solo-1/cookbooks/slice-ssh-keys/recipes/default.rb:38:in
> `block (2 levels) in from_file'
> ==> default: [2015-01-26T22:23:47+00:00] WARN: Current
> execute[install_public_rsa_doug]:
> /tmp/vagrant-chef-3/chef-solo-1/cookbooks/slice-ssh-keys/recipes/default.rb:38:in
> `block (2 levels) in from_file'
>
>
> Apart from the warning, only the last ssh keys is being added to the
> authorized_keys file. Even though I'm using echo and >>, the last one is not
> there. The log statement shows each key, so I know the loop is iterating
> over both. What gives?
>
> Doug
>