puppet-module-root

Table of Contents

1. Overview

2. Usage - Configuration options

3. Reference - Parameter and detailed reference to all options

Overview

This module manages the Linux root user.

This module has soft dependencies on the following modules:

• puppetlabs/mailalias_core

• puppetlabs/sshkeys_core

Usage

root

include root

Manage root and define mailaliases, ssh_authorized_keys and set a password.

root::mailaliases:
  - 'root@example.com'
root::password: '$1$Bp8B.dWo$DUVekjsAsU0ttWZmS37P5'
root::ssh_authorized_keys:
  - 'ssh-rsa somelonghash== user@fqdn'

Authorized keys can also be set using a hash.

root::ssh_authorized_keys:
  user@fqdn:
    type: 'ssh-rsa'
    key: 'somelonghash=='

If you wish to merge authorized keys from multiple locations:

lookup_options:
  root::mailaliases:
    merge: unique
  root::ssh_authorized_keys:
    merge: deep
root::mailaliases:
  - 'root@example.com'
root::ssh_authorized_keys:
  user@fqdn:
    type: 'ssh-rsa'
    key: 'somelonghash=='
# Some other Hiera location:
root::mailaliases:
  - 'root@example2.com'
root::ssh_authorized_keys:
  user2@fqdn:
    type: 'ssh-rsa'
    key: 'somelonghash=='

If you use Arrays for resources like root::ssh_authorized_keys then use unique merge instead of deep.

To export a system's root RSA key

root::export_key: true

To generate and export a different root SSH key:

root::generate_key_type: ecdsa-sk
root::export_key_type: "%{lookup('root::generate_key_type')}"

To collect exported root RSA keys from multiple tags

root::collect_exported_keys: true
root::collect_exported_keys_tags:
  - "%{facts.domain}"
  - 'foo'

Add Kerberos principals to /root/.k5login:

root::kerberos_login_principals:
  - user1@EXAMPLE.COM
  - user2@EXAMPLE.COM

Add Kerberos principals and commands to /root/.k5users. Note that user3 and user4 will not have commands defined. The examples also illustrate defining commands as strings or arrays.

root::kerberos_users_commands:
  user1@EXAMPLE.COM:
    - /bin/systemctl
    - /bin/cat
  user2@EXAMPLE.COM: /bin/systemctl /bin/cat
  user3@EXAMPLE.COM: ''
  user4@EXAMPLE.COM: []

If a different module manages Kerberos for root, disable Kerberos in this module:

root::manage_kerberos: false

Set an automatic logout for idle interactive shells (in seconds):

root::logout_timeout: 600

Reference

treydock.github.io/puppet-module-root/