Verified Commit faf86c22 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

change how authorized_keys parameter in ssh is used

parent 00d4613e
......@@ -23,7 +23,7 @@ release/005.007 (unreleased)
[ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
logins (this way you do not have to do class inheritance). Also add a
parameter to allow root users to login using ssh key-pairs. Both of
these parameters are set to false by default. [adamhl]
these parameters are set to have no effect by default. [adamhl]
release/005.006 (2017-02-16)
......@@ -22,18 +22,23 @@
# server.
# Default: false
# $allow_pubkey_for_root: set to true if you want to allow root logins
# using ssh key-pairs. This is especially useful for Kerberos KDCs that
# $root_authorized_keys: Set this to a Puppet template URL to
# instantiate that file as /root/.ssh/authorized_keys.
# This is especially useful for Kerberos KDCs that
# are not clients of the production KDC. Use with caution.
# If you set this to true you should also set $pubkey to true.
# Default: false
# Example:
# root_authorized_keys => template('mymodule/root/.ssh/authorized_keys.erb'),
# Default: undef
class base::ssh(
$pam_afs = true,
$pam_duo = false,
$pam_slurm = false,
$pubkey = false,
$allow_pubkey_for_root = false,
$root_authorized_keys = undef,
$filter_sunetids = [],
......@@ -110,7 +115,12 @@ class base::ssh(
notify => Service['ssh'],
if (! $allow_pubkey_for_root) {
if ($root_authorized_keys) {
file { '/root/.ssh/authorized_keys':
ensure => present,
content => $root_authorized_keys,
} else {
# Make sure public key authentication to root does not work and clean up
# after the authorized_keys file generated during the build process. Some
# clients (HPC) will need to override this (for GPFS, for example).
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment