From 52d4c0be9c189ddcbd5ea4cf74e03f3319cff4bb Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Thu, 13 Aug 2015 17:07:43 -0700 Subject: [PATCH] Vault SSH: Install script is optional now. Default script will be for Linux host. --- builtin/logical/ssh/linux_install_script.go | 42 +++++++++++++++++++++ builtin/logical/ssh/path_roles.go | 4 +- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 builtin/logical/ssh/linux_install_script.go diff --git a/builtin/logical/ssh/linux_install_script.go b/builtin/logical/ssh/linux_install_script.go new file mode 100644 index 0000000000..97d0ba4e65 --- /dev/null +++ b/builtin/logical/ssh/linux_install_script.go @@ -0,0 +1,42 @@ +package ssh + +const ( + LinuxInstallScript = ` +#!/bin/bash +# +# This script file installs or uninstalls an RSA public key to/from authoried_keys +# file in a typical linux machine. This script should be registered with vault +# server while creating a role for key type 'dynamic'. +# +# Vault server runs this script on the target machine with the following params: +# +# $1: "install" or "uninstall" +# +# $2: File name containing public key to be installed. Vault server uses UUID +# as file name to avoid collisions with public keys generated for requests. +# +# $3: Absolute path of the authorized_keys file. +# +# [Note: Modify the script if targt machine does not have the commands used in +# this script] + +if [ $1 != "install" && $1 != "uninstall" ]; then + exit 1 +fi + +# If the key being installed is already present in the authorized_keys file, it is +# removed and the result is stored in a temporary file. +grep -vFf $2 $3 > temp_$2 + +# Contents of temporary file will be the contents of authorized_keys file. +cat temp_$2 | sudo tee $3 + +if [ $1 == "install" ]; then +# New public key is appended to authorized_keys file +cat $2 | sudo tee --append $3 +fi + +# Auxiliary files are deleted +rm -f $2 temp_$2 +` +) diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go index ec7ad920cb..067d432a43 100644 --- a/builtin/logical/ssh/path_roles.go +++ b/builtin/logical/ssh/path_roles.go @@ -185,7 +185,9 @@ func (b *backend) pathRoleWrite(req *logical.Request, d *framework.FieldData) (* installScript := d.Get("install_script").(string) if installScript == "" { - return logical.ErrorResponse("Missing install script"), nil + // Setting the default script here. The script will install the generated public key in + // the authorized_keys file of linux host. + installScript = LinuxInstallScript } adminUser := d.Get("admin_user").(string)