diff --git a/src/Propellor/Property/OS.hs b/src/Propellor/Property/OS.hs index ed9a31e..3290f3b 100644 --- a/src/Propellor/Property/OS.hs +++ b/src/Propellor/Property/OS.hs @@ -13,10 +13,9 @@ import Propellor import qualified Propellor.Property.Chroot as Chroot import qualified Propellor.Property.Debootstrap as Debootstrap import qualified Propellor.Property.File as File +import qualified Propellor.Property.Ssh as Ssh import Utility.FileMode -import Utility.PosixFiles - -- | Replaces whatever OS was installed before with a clean installation -- of the OS that the Host is configured to have. -- @@ -95,15 +94,10 @@ rootSshAuthorized :: Property rootSshAuthorized = check (doesDirectoryExist oldloc) $ property (newloc ++ " copied from old OS") $ do ks <- liftIO $ lines <$> readFile oldloc - ensureProperty $ - newloc `File.containsLines` ks - `requires` File.dirExists (takeDirectory newloc) - `onChange` File.mode newloc mode + ensureProperties (map (Ssh.authorizedKey "root") ks) where newloc = "/root/.ssh/authorized_keys" oldloc = oldOsDir ++ newloc - -- ssh requires the file mode be locked down - mode = combineModes [ownerWriteMode, ownerReadMode] -- Installs an appropriate kernel from the OS distribution. kernelInstalled :: Property diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 4ecdf23..5d326b8 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -3,6 +3,7 @@ module Propellor.Property.Ssh ( permitRootLogin, passwordAuthentication, hasAuthorizedKeys, + authorizedKey, restarted, randomHostKeys, hostKeys, @@ -155,6 +156,8 @@ knownHost hosts hn user = property desc $ return FailedChange -- | Makes a user have authorized_keys from the PrivData +-- +-- This removes any other lines from the file. authorizedKeys :: UserName -> Context -> Property authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \get -> property (user ++ " has authorized_keys") $ get $ \v -> do @@ -167,6 +170,16 @@ authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \g , File.ownerGroup (takeDirectory f) user user ] +-- | Ensures that a user's authorized_keys contains a line. +-- Any other lines in the file are preserved as-is. +authorizedKey :: UserName -> String -> Property +authorizedKey user l = property (user ++ " has autorized_keys line " ++ l) $ do + f <- liftIO $ dotFile "authorized_keys" user + ensureProperty $ + f `File.containsLine` l + `requires` File.dirExists (takeDirectory f) + `onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode]) + -- | Makes the ssh server listen on a given port, in addition to any other -- ports it is configured to listen on. --