我希望有一个地方为我的用户定义 ssh 密钥。这些用户可以在单个服务器上担任不同的(多个)角色。因此,我将 ssh_authorized_key 定义为虚拟的,然后希望以不同的角色实现它们。示例:
@ssh_authorized_key {
"user_a":
tag => ['deployer', 'developer', 'root'],
key => "xxx",
type => "ssh-dss",
ensure => present;
"user_b":
tag => ['deployer', 'root'],
key => "yyy",
type => "ssh-dss",
ensure => present;
"user_c":
tag => ['root', 'deployer'],
key => 'zzz',
type => "ssh-rsa",
ensure => present;
}
然后实现它们多种的用户单身的节点:
Ssh_authorized_key<| tag == 'root' |> {
user => 'root'
}
Ssh_authorized_key<| tag == 'deployer' |> {
user => 'deployer'
}
但是 puppet 只会为一个用户安装证书。我认为我的解决方案的主要概念是错误的。但我不知道如何为多个用户安装单个证书?
答案1
你说得对,你的解决方案的主要概念是错误的,但我认为它的错误比你想象的要早得多。最好的做法是不是共享帐户;每个用户都应该有一个单独的帐户,并用来sudo执行需要交替权限的任务。如果你诚实地必须共享一个或多个帐户,然后允许您的用户使用,sudo su - ACCOUNT而不必直接以 ACCOUNT 身份登录。例如:
user { 'alice': groups => ['developer', 'deployer', 'root'] # other params... }
ssh_authorized_key { 'alice': #params }
/etc/sudoers然后在您的(也希望由 puppet 管理!)中添加适当的条目:
# deployer group can run the deployment script without a password.
%deployer ALL = NOPASSWD: /usr/local/bin/deploy
# developer group can run commands as 'developer'
%developer ALL = (developer) ALL
# or, if you actually *must* allow them to log in as 'developer'
%developer ALL = /usr/bin/su developer