change how authorized_keys parameter in ssh is used

NEWS

@@ -23,7 +23,7 @@ release/005.007 (unreleased)
     [ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
     logins (this way you do not have to do class inheritance). Also add a
     parameter to allow root users to login using ssh key-pairs. Both of
-    these parameters are set to false by default. [adamhl]
+    these parameters are set to have no effect by default. [adamhl]
 
 release/005.006 (2017-02-16)
 

manifests/ssh.pp

@@ -22,18 +22,23 @@
 # server.
 # Default: false
 
-# $allow_pubkey_for_root: set to true if you want to allow root logins
-# using ssh key-pairs. This is especially useful for Kerberos KDCs that
+# $root_authorized_keys: Set this to a Puppet template URL to
+# instantiate that file as /root/.ssh/authorized_keys.
+# This is especially useful for Kerberos KDCs that
 # are not clients of the production KDC. Use with caution.
 # If you set this to true you should also set $pubkey to true.
-# Default: false
+#
+# Example:
+#    root_authorized_keys => template('mymodule/root/.ssh/authorized_keys.erb'),
+#
+# Default: undef
 
 class base::ssh(
   $pam_afs               = true,
   $pam_duo               = false,
   $pam_slurm             = false,
   $pubkey                = false,
-  $allow_pubkey_for_root = false,
+  $root_authorized_keys  = undef,
   $filter_sunetids       = [],
 ){
 
@@ -110,7 +115,12 @@ class base::ssh(
     notify  => Service['ssh'],
   }
 
-  if (! $allow_pubkey_for_root) {
+  if ($root_authorized_keys) {
+    file { '/root/.ssh/authorized_keys':
+      ensure => present,
+      content => $root_authorized_keys,
+    }
+  } else {
     # Make sure public key authentication to root does not work and clean up
     # after the authorized_keys file generated during the build process.  Some
     # clients (HPC) will need to override this (for GPFS, for example).