From db7a9aa9f6f6300f487f25f758758af11bd481bf Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 16:19:37 -0400 Subject: propellor spin --- src/Propellor/Property/Ssh.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/Propellor/Property/Ssh.hs') diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 9290ea1e..6bbf2b15 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -178,7 +178,7 @@ fromKeyType SshDsa = "dsa" fromKeyType SshEcdsa = "ecdsa" fromKeyType SshEd25519 = "ed25519" --- | Puts some host's ssh public key(s), as set using 'pubKey', +-- | Puts some host's ssh public key(s), as set using 'pubKey' or 'hostKey' -- into the known_hosts file for a user. knownHost :: [Host] -> HostName -> UserName -> Property NoInfo knownHost hosts hn user = property desc $ -- cgit v1.3-2-g0d8e From d08c98d8b33cab9c7008ee36ff88950c96af2e38 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 20:29:04 -0400 Subject: propellor spin --- config-joey.hs | 7 +------ src/Propellor/Property/SiteSpecific/JoeySites.hs | 15 +++++++++++++-- src/Propellor/Property/Ssh.hs | 18 ++++++++++++++---- 3 files changed, 28 insertions(+), 12 deletions(-) (limited to 'src/Propellor/Property/Ssh.hs') diff --git a/config-joey.hs b/config-joey.hs index 37dea8d7..7fb31f6d 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -236,12 +236,7 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" & alias "git.joeyh.name" & JoeySites.gitServer hosts - & JoeySites.annexWebSite "/srv/git/downloads.git" - "downloads.kitenet.net" - "840760dc-08f0-11e2-8c61-576b7e66acfd" - [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] - `requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net") - `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" + & JoeySites.downloads hosts & JoeySites.gitAnnexDistributor & JoeySites.annexWebSite "/srv/git/joey/tmp.git" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index ae71a3ca..114a30d4 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -68,9 +68,11 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props oldUseNetBackup = Obnam.backup datadir (Cron.Times "33 4 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/olduse.net" , "--client-name=spool" + , "--ssh-key=" ++ keyfile ] Obnam.OnlyClient - `requires` Ssh.keyImported SshRsa "root" (Context "olduse.net") + `requires` Ssh.keyImported' (Just keyfile) SshRsa "root" (Context "olduse.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" + keyfile = "/root/.ssh/olduse.net.key" oldUseNetShellBox :: Property HasInfo oldUseNetShellBox = propertyList "olduse.net shellbox" $ props @@ -140,9 +142,10 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props & Obnam.latestVersion & Obnam.backupEncrypted "/srv/git" (Cron.Times "33 3 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" + , "--ssh-key=" ++ sshkey , "--client-name=wren" -- historical ] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1") - `requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net") + `requires` Ssh.keyImported' (Just sshkey) SshRsa "root" (Context "git.kitenet.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" @@ -166,6 +169,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props & website "git.joeyh.name" & Apache.modEnabled "cgi" where + sshkey = "/root/.ssh/git.kitenet.net.key" website hn = apacheSite hn True [ " DocumentRoot /srv/web/git.kitenet.net/" , " " @@ -266,6 +270,13 @@ mainhttpscert True = , " SSLCertificateKeyFile /etc/ssl/private/web.pem" , " SSLCertificateChainFile /etc/ssl/certs/startssl.pem" ] + +downloads :: [Host] -> Property HasInfo +downloads hosts = annexWebSite "/srv/git/downloads.git" + "downloads.kitenet.net" + "840760dc-08f0-11e2-8c61-576b7e66acfd" + [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] + `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" gitAnnexDistributor :: Property HasInfo gitAnnexDistributor = combineProperties "git-annex distributor, including rsync server and signer" $ props diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 6bbf2b15..d9cf9a48 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -12,6 +12,7 @@ module Propellor.Property.Ssh ( pubKey, getPubKey, keyImported, + keyImported', knownHost, authorizedKeys, listenPort @@ -147,8 +148,15 @@ getPubKey = asks (_sshPubKey . hostInfo) -- | Sets up a user with a ssh private key and public key pair from the -- PrivData. +-- +-- If the user already has a private/public key, it is left unchanged. keyImported :: IsContext c => SshKeyType -> UserName -> c -> Property HasInfo -keyImported keytype user context = combineProperties desc +keyImported = keyImported' Nothing + +-- | A file can be speficied to write the key to somewhere other than +-- usual. Allows a user to have multiple keys for different roles. +keyImported' :: IsContext c => Maybe FilePath -> SshKeyType -> UserName -> c -> Property HasInfo +keyImported' dest keytype user context = combineProperties desc [ installkey (SshPubKey keytype user) (install writeFile ".pub") , installkey (SshPrivKey keytype user) (install writeFileProtected "") ] @@ -168,9 +176,11 @@ keyImported keytype user context = combineProperties desc , File.ownerGroup (takeDirectory f) user user ] ) - keyfile ext = do - home <- homeDirectory <$> getUserEntryForName user - return $ home ".ssh" "id_" ++ fromKeyType keytype ++ ext + keyfile ext = case dest of + Nothing -> do + home <- homeDirectory <$> getUserEntryForName user + return $ home ".ssh" "id_" ++ fromKeyType keytype ++ ext + Just f -> return $ f ++ ext fromKeyType :: SshKeyType -> String fromKeyType SshRsa = "rsa" -- cgit v1.3-2-g0d8e From 0119bf8531076265aee3bf99cdf081b8425f0e57 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 20:56:57 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- src/Propellor/Property/Ssh.hs | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'src/Propellor/Property/Ssh.hs') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 114a30d4..0994a62f 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -150,7 +150,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" & Apt.installed ["git", "rsync", "gitweb"] - & Apt.installed ["kgb-client"] + & Apt.installed ["kgb-client", "kgb-bot"] & Apt.installed ["git-annex"] & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext & Git.daemonRunning "/srv/git" diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index d9cf9a48..fe2794a5 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -161,7 +161,12 @@ keyImported' dest keytype user context = combineProperties desc , installkey (SshPrivKey keytype user) (install writeFileProtected "") ] where - desc = user ++ " has ssh key (" ++ fromKeyType keytype ++ ")" + desc = unwords $ catMaybes + [ Just user + , Just "has ssh key" + , dest + , Just $ "(" ++ fromKeyType keytype ++ ")" + ] installkey p a = withPrivData p context $ \getkey -> property desc $ getkey a install writer ext key = do -- cgit v1.3-2-g0d8e From da77276378ecbed7d6434145793bfb209c731b76 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 12 Feb 2015 12:35:15 -0400 Subject: ssh user perm fixes * Ssh.authorizedKey: Make the authorized_keys file and .ssh directory be owned by the user, not root. * Ssh.knownHost: Make the .ssh directory be owned by the user, not root. --- config-joey.hs | 2 +- debian/changelog | 3 +++ src/Propellor/Property/SiteSpecific/JoeySites.hs | 1 - src/Propellor/Property/Ssh.hs | 12 +++++++++--- 4 files changed, 13 insertions(+), 5 deletions(-) (limited to 'src/Propellor/Property/Ssh.hs') diff --git a/config-joey.hs b/config-joey.hs index f5c593ec..f87db43e 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -127,7 +127,7 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64" -- with propellor. kite :: Host kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" - [ "Welcome to the new kitenet.net server!" ] + [ "Welcome to kite!" ] & ipv4 "66.228.36.95" & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" & alias "kitenet.net" diff --git a/debian/changelog b/debian/changelog index ff1cdf1d..a8000c43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ propellor (2.1.0) UNRELEASED; urgency=medium * New Cron.Times data type, which allows Cron.job to install daily/monthly/weekly jobs that anacron can run. (API change) * Fix Git.daemonRunning to restart inetd after enabling the git server. + * Ssh.authorizedKey: Make the authorized_keys file and .ssh directory + be owned by the user, not root. + * Ssh.knownHost: Make the .ssh directory be owned by the user, not root. -- Joey Hess Thu, 29 Jan 2015 01:41:07 -0400 diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 3d453a8a..9644cb72 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -330,7 +330,6 @@ twitRss = combineProperties "twitter rss" $ props ] -- Work around for expired ssl cert. --- (no longer expired, TODO remove this and change urls) pumpRss :: Property NoInfo pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/" "wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null" diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index fe2794a5..f44688c1 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -207,6 +207,7 @@ knownHost hosts hn user = property desc $ , f `File.containsLines` (map (\k -> hn ++ " " ++ k) (M.elems m)) , File.ownerGroup f user user + , File.ownerGroup (takeDirectory f) user user ] go _ = do warningMessage $ "no configred pubKey for " ++ hn @@ -230,12 +231,17 @@ authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \g -- | Ensures that a user's authorized_keys contains a line. -- Any other lines in the file are preserved as-is. authorizedKey :: UserName -> String -> Property NoInfo -authorizedKey user l = property (user ++ " has autorized_keys line " ++ l) $ do +authorizedKey user l = property desc $ do f <- liftIO $ dotFile "authorized_keys" user - ensureProperty $ - f `File.containsLine` l + ensureProperty $ combineProperties desc + [ f `File.containsLine` l `requires` File.dirExists (takeDirectory f) `onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode]) + , File.ownerGroup f user user + , File.ownerGroup (takeDirectory f) user user + ] + where + desc = user ++ " has autorized_keys line " ++ l -- | Makes the ssh server listen on a given port, in addition to any other -- ports it is configured to listen on. -- cgit v1.3-2-g0d8e