I want to have one place where I have defined ssh keys for my users. These users can be in different (multiple) roles on single server. So I defined ssh_authorized_key as virtual and then wanted to realize them in different roles. Example:
@ssh_authorized_key {
"user_a":
tag => ['deployer', 'developer', 'root'],
key => "xxx",
type => "ssh-dss",
ensure => present;
"user_b":
tag => ['deployer', 'root'],
key => "yyy",
type => "ssh-dss",
ensure => present;
"user_c":
tag => ['root', 'deployer'],
key => 'zzz',
type => "ssh-rsa",
ensure => present;
}
And then realize them for multiple users on single node:
Ssh_authorized_key<| tag == 'root' |> {
user => 'root'
}
Ssh_authorized_key<| tag == 'deployer' |> {
user => 'deployer'
}
But puppet will install the certificates only for one user. I think that main concept of my solution is wrong. But I can't figure out how to install single certificate to multiple users?
You are correct that the main concept of your solution is wrong, but I think it is wrong far earlier than you suspect. The best practice is to not share accounts; each user should have an individual account and use
sudoto perform tasks that require alternate privileges. If you honestly must share one or more accounts, then allow your users tosudo su - ACCOUNTinstead of logging in directly as ACCOUNT. For example:Then add appropriate entries in your
/etc/sudoers(also hopefully managed by puppet!):