andrewmccall.com

Setting up users and securing my server.

Last night I got the server upgraded to ububtu 10.04 and installed puppet. The first and only recipe we've got is one to make sure our sudoers file has the proper permissions. Tonight I'm hoping to:
  • Add myself a user
  • Automatically create me ssh key
  • Prevent root from logging in via ssh
  • Prevent users from logging in other than with a key.
  • It would be nice to be able to email me my key since I don't run puppet on my mac, though I may be convinced to go down that route if it proves too difficult.
Longer term I'm hoping to extend this same process to create user certificates for https client certificate authentication and it would be nice to use the same key, certificates and revocation process to issue new credential to users or to even lock them out. Bearing that all in mind, but not getting too hung up on stuff I'm doing later, off we go.

Create the users module

We're going to do this pretty much straight out of the puppet best practice guide, the first thing we'll do is flesh out our users module. 
# cd /etc/puppet
# mkdir -p modules/user/manifests
Then create a virtual users file: 
modules/user/manifests/virtual.pp
 
# virtual.pp
#
# People accounts of interest as virtual resources
class user::virtual {
    @user { "andrewmccall":
        ensure  => "present",
        uid     => "1001",
        gid     => "1001",
        comment => "Andrew McCall",
        home    => "/home/andrewmccall",
        shell   => "/bin/bash",
    }
}
Next let's move me from a virtual user to an actual user 
modules/users/manifests/unixadmins.pp
 
# unixadmins.pp
#
# Realize the members of the Unix team and include any contractors

class user::unixadmins inherits user::virtual {
    # Realize our team members
    realize(
        User["andrewmccall"]
    )
}
Next we need to create an init.pp for the module. 
modules/users/manifests/init.pp
 
import "*"
class user {
    include user::virtual, user::unixadmins
}
Now we need to go back and update the site.pp - at this stage I also add a node.pp below to manage individual hosts. 
manifests/site.pp
 
# site.pp

import "nodes"

Exec { path => "/usr/bin:/usr/sbin/:/bin:/sbin" }
manifests/site.pp
 
# node.pp

node default {
  include sudo, user
}
Once I got that all setup I ran puppet from the command line: 
# puppet -v --modulepath=/etc/puppet/modules /etc/puppet/manifests/site.pp
And I got an error: 
info: Autoloaded module sudo
info: Autoloaded module user
info: Applying configuration version '1281041300'
err: //user::virtual/User[andrewmccall]/ensure: change from absent to present failed: Could not create user andrewmccall: Execution of '/usr/sbin/useradd -u 1001 -g 1001 -s /bin/bash -c Andrew McCall -d /home/andrewmccall andrewmccall' returned 6: useradd: group '1001' does not exist
Unfortunately I'm going to have to leave it at that for the night, see you tomorrow.