System Users & SSH accces configuration¶

Pass generation¶

>>> import crypt;print crypt.crypt('secret', '$6$SALTsalt$')

SSH¶

To allow users to connect as root we define in pillar an entry which ties # ssh keys container in the ‘keys’ mapping to the near by ‘users’ mapping. See makina-states.services.base.ssh.

makina-states.localsettings.users.toto: []
makina-states.localsettings.users.root:
    home: /users/root (opt)
    admin: true (opt)
    ssh_keys: ['kiorky.pub', 'salt://foo.pub']

salt://files/ssh/kiorky.pub && salt://foo.pub will be authorized in root’s authorized ssh keys
This will also create root as an admin if not existing
This will also create a standard user named ‘toto’
As you guessed, if you do not specify an url, the keys are looked in salt://files/ssh.

It will uses the makina-states.localsettings.users state registry configuration items.

Other settings:

makina-states.localsettings.admin.sudoers

sudoers list

makina-states.localsettings.admin.sysadmins_keys

ssh keyfiles to drop from saltmaster

makina-states.localsettings.admin.sysadmin_password

global sysadmin password hash

makina-states.localsettings.admin.root_password

root password hash (default to sysadmin if unset

makina-states.localsettings.admin.absent_ssh_keys

ssh keyfiles mappings to disable from auth (all users)

makina-states.localsettings.admin.sudoers: [joe]
makina-states.localsettings.admin.password: s3cret
makina-states.localsettings.admin.absent_ssh_keys:
    AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr: {}
    AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr:
        enc: ssh-rsa
makina-states.localsettings.admin.sysadmin_keys:
    - foo.pub
    - salt://foofoo.pub

If no root or sysadmin password, no changes to the system You have also a macro providen in this state to easily create users.