[chef] Re: Creating authorized_keys for LDAP users.

[Lamont Granquist < >]

On 1/26/15 2:29 PM, Douglas Garstang wrote:

" type="cite">

I'm having trouble setting up users authorized keys. A cookbook that runs earlier in the runlist sets up LDAP. However, due to reasons I don't understand, none of that user information is available during the chef run. I previously posted about this once before. As a result, I can't simply create files and directories and use 'owner' and 'group.

I came up with the below idea. I'm iterating over the ssh keys in a data bag and then for each user running a command as this user. That makes PAM do all the home directory setup for me. I create the ~/.ssh directory in a similar fashion, as the user. All works ok. However, I'm having an issue with adding the array of ssh_keys pulled from the data bag to the users authorized keys file.

include_recipe "slice-ldap"
bag = data_bag("ssh-keys")
for item in bag do
  user = data_bag_item('ssh-keys', item)
  user_name = user['id']
  ssh_keys = user['ssh_keys']
  execute "create_home_#{user_name}" do
    command "su - #{user_name} -c \"ls\""
    creates "/home/#{user_name}"
    notifies :run, "execute[create_ssh_dir_#{user_name}]", :immediately
  end
  execute "create_ssh_dir_#{user_name}" do
    command "su - #{user_name} -c \"mkdir /home/#{user_name}/.ssh\""
    notifies :run, "execute[install_public_rsa_#{user_name}]", :immediately
    creates "/home/#{user_name}/.ssh"
  end
  ssh_keys.each_with_index do |k, index|
    log "k = #{k}"
    execute "install_public_rsa_#{user_name}" do
      command "su - #{user_name} -c \"echo '#{k}' >> /home/#{user_name}/.ssh/authorized_keys\""
      action :nothing
    end
  end
end

However, I'm having an issue with adding the array of ssh_keys pulled from the data bag to the users authorized keys file. The loop at the end does this, but chef also gives me this warning:

==> default: [2015-01-26T22:23:47+00:00] WARN: Previous execute[install_public_rsa_doug]: /tmp/vagrant-chef-3/chef-solo-1/cookbooks/slice-ssh-keys/recipes/default.rb:38:in `block (2 levels) in from_file'
==> default: [2015-01-26T22:23:47+00:00] WARN: Current  execute[install_public_rsa_doug]: /tmp/vagrant-chef-3/chef-solo-1/cookbooks/slice-ssh-keys/recipes/default.rb:38:in `block (2 levels) in from_file'

Apart from the warning, only the last ssh keys is being added to the authorized_keys file. Even though I'm using echo and >>, the last one is not there. The log statement shows each key, so I know the loop is iterating over both. What gives?

Doug

Yeah the warning is trying to tell you the problem.  You're defining multiple resources called `execute[install_public_rsa_doug]` and the resource collection and the way notifies and subscribes is implemented requires unique names.  So you're getting resource cloning and you're only notifying one of those blocks.  You could add the index to then name and then subscribe to the previous resources:

  ssh_keys.each_with_index do |k, index|
    log "k = #{k}"
    execute "install_public_rsa_#{user_name}_#{index}" do
      command "su - #{user_name} -c \"echo '#{k}' >> /home/#{user_name}/.ssh/authorized_keys\""
      subscribes :run, "execute[#{create_ssh_dir_#{user_name}]"
      subscribes :run, "execute[#{create_home_#{user_name}]"
      action :nothing
    end
  end

You'll be way better off just doing this though:

file "/home/#{user_name}" do
  owner user_name
  group user_name  # or "users" or whatever
  mode "0600"
end

file "/home/#{user_name}/.ssh" do
  owner user_name
  group user_name
  mode "0600"
end

file "/home/#{user_name}/.ssh/authorized_keys" do
  owner user_name
  group user_name
  mode "0600"
  content ssh_keys.join("\n")
end

That's idempotent, you don't need the action :nothing or any notifications or subscriptions, you can push new keys out and it'll correctly update, gets the job done with fewer resources, etc.  Similarly executing to su is a huge antipattern, so you can replace the rest of that.