A sensible approach to access control for servers is to use named user accounts with passphrase-protected SSH keys, rather than having users share an account with a widely-known password. Puppet makes this easy to manage thanks to the built-in ssh_ authorized_key
type.
To combine this with virtual users, as described in the previous section, you can create a define, which includes both user
and ssh_authorized_key
. This will also come in handy when adding customization files and other resources to each user.
Follow these steps to extend your virtual users' class to include SSH access:
- Create a new
ssh_user
module to contain ourssh_user
definition. Create themodules/ssh_user/manifests/init.pp
file as follows:
define ssh_user( String $key, Enum['ssh-rsa','ssh-ed25519'] $keytype ) { user { $name: ensure => present, } file { "/home/${name}": ensure => directory, mode => '0700', owner => $name, require ...