Version information
This version is compatible with:
- Puppet Enterprise 2025.3.x, 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- RedHat,Rocky,AlmaLinux,CentOS,Debian,Ubuntu
Start using this module
Add this module to your Puppetfile:
mod 'treydock-root', '6.1.0'Learn more about managing modules with a PuppetfileDocumentation
puppet-module-root
Table of Contents
Overview
This module manages the Linux root user.
This module has soft dependencies on the following modules:
Usage
root
include root
Manage root and define mailaliases, ssh_authorized_keys and set a password.
root::mailaliases:
- 'root@example.com'
root::password: '$1$Bp8B.dWo$DUVekjsAsU0ttWZmS37P5'
root::ssh_authorized_keys:
- 'ssh-rsa somelonghash== user@fqdn'
Authorized keys can also be set using a hash.
root::ssh_authorized_keys:
user@fqdn:
type: 'ssh-rsa'
key: 'somelonghash=='
If you wish to merge authorized keys from multiple locations:
lookup_options:
root::mailaliases:
merge: unique
root::ssh_authorized_keys:
merge: deep
root::mailaliases:
- 'root@example.com'
root::ssh_authorized_keys:
user@fqdn:
type: 'ssh-rsa'
key: 'somelonghash=='
# Some other Hiera location:
root::mailaliases:
- 'root@example2.com'
root::ssh_authorized_keys:
user2@fqdn:
type: 'ssh-rsa'
key: 'somelonghash=='
If you use Arrays for resources like root::ssh_authorized_keys then use unique merge instead of deep.
To export a system's root RSA key
root::export_key: true
To generate and export a different root SSH key:
root::generate_key_type: ecdsa-sk
root::export_key_type: "%{lookup('root::generate_key_type')}"
To collect exported root RSA keys from multiple tags
root::collect_exported_keys: true
root::collect_exported_keys_tags:
- "%{facts.domain}"
- 'foo'
Add Kerberos principals to /root/.k5login:
root::kerberos_login_principals:
- user1@EXAMPLE.COM
- user2@EXAMPLE.COM
Add Kerberos principals and commands to /root/.k5users. Note that user3 and user4 will not have commands defined. The examples also illustrate defining commands as strings or arrays.
root::kerberos_users_commands:
user1@EXAMPLE.COM:
- /bin/systemctl
- /bin/cat
user2@EXAMPLE.COM: /bin/systemctl /bin/cat
user3@EXAMPLE.COM: ''
user4@EXAMPLE.COM: []
If a different module manages Kerberos for root, disable Kerberos in this module:
root::manage_kerberos: false
Set an automatic logout for idle interactive shells (in seconds):
root::logout_timeout: 600
Reference
Reference
Table of Contents
Classes
Public Classes
root: Manage root user
Private Classes
root::kerberos: Private classroot::key::export: Private classroot::params: Private class
Defined types
Public Defined types
root::ssh_authorized_key: Define root user's ssh_authorized_key resources
Private Defined types
root::key::collect: Private class
Data types
Classes
root
Manage root user
Examples
include ::root
Parameters
The following parameters are available in the root class:
mailaliasesssh_authorized_keyspasswordpurge_ssh_keysgenerate_key_typeexport_keyexport_key_typeexport_key_optionsexport_key_tagcollect_exported_keyscollect_exported_keys_tagsssh_private_keyssh_private_key_sourcessh_public_keyssh_public_key_sourcelogout_timeoutmanage_kerberoskerberos_login_principalskerberos_users_commands
mailaliases
Data type: Array
An array that defines mailaliases for the root user (defaults to an empty array).
When an empty array is given Mailaliases[root] is set to ensure => absent.
Default value: []
ssh_authorized_keys
Data type: Variant[Array, Hash]
Defines ssh_autorized_keys to be passed to the root::ssh_authorized_key defined type.
See root::ssh_authorized_key for examples of valid formats
Default value: {}
password
Data type: Optional[Variant[String, Sensitive[String]]]
The password hash used for the root account.
Default value: undef
purge_ssh_keys
Data type: Boolean
Sets if unmanaged SSH keys will be purged for the root account.
Default value: true
generate_key_type
Data type: Root::SSHKeyTypes
Type of SSH key to generate when exporting
Default value: 'rsa'
export_key
Data type: Boolean
Sets if the root SSH RSA key should be created and exported.
Default value: false
export_key_type
Data type: Optional[Root::SSHKeyTypes]
The ssh_authorized_key type that is exported
Default value: $generate_key_type
export_key_options
Data type: Optional[Array]
Options to set for the exported SSH RSA key
Default value: undef
export_key_tag
Data type: String
The tag to use when exporting the root SSH RSA key.
Default value: $facts['networking']['domain']
collect_exported_keys
Data type: Boolean
Sets if the export root SSH RSA keys should be collected.
Default value: false
collect_exported_keys_tags
Data type: Array
Array of tags for root SSH RSA keys to collect.
Default value: [$facts['networking']['domain']]
ssh_private_key
Data type: Stdlib::Absolutepath
Path to root's SSH private key
Default value: '/root/.ssh/id_rsa'
ssh_private_key_source
Data type: Optional[String]
The source for root's SSH RSA private key
Default value: undef
ssh_public_key
Data type: Stdlib::Absolutepath
Path to root's SSH public key
Default value: '/root/.ssh/id_rsa.pub'
ssh_public_key_source
Data type: Optional[String]
The source for root's SSH RSA public key
Default value: undef
logout_timeout
Data type: Optional[Integer[0, default]]
Time (in seconds) before idle interactive terminals will logout
Default value: undef
manage_kerberos
Data type: Boolean
Boolean that sets if Kerberos files should be managed
Default value: true
kerberos_login_principals
Data type: Array
The Kerberos principals to write to /root/.k5login
Default value: []
kerberos_users_commands
Data type: Hash[String[1], Variant[String, Array]]
The Kerberos user principals and commands to write to /root/.k5users
Default value: {}
Defined types
root::ssh_authorized_key
Define root user's ssh_authorized_key resources
Examples
Define ssh_authorized_key using Hash
root::ssh_authorized_key { 'user@fqdn':
type => 'ssh-rsa',
key => 'somelonghash==',
}
Define ssh_authorized_key using name string
root::ssh_authorized_key { 'ssh-rsa somelonghash== user@fqdn': }
Parameters
The following parameters are available in the root::ssh_authorized_key defined type:
ensure
Data type: Enum['present','absent']
ssh_authorized_key ensure property
Default value: 'present'
key
Data type: Optional[String[1]]
The SSH key hash
Default value: undef
options
Data type: Optional[Variant[String[1], Array]]
The SSH key options
Default value: undef
type
Data type: Optional[String[1]]
The type of SSH key.
Default value: undef
Data types
Root::SSHKeyTypes
The Root::SSHKeyTypes data type.
Alias of
Enum['dsa', 'rsa', 'ecdsa', 'ecdsa-sk', 'ed25519', 'ed25519-sk']
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v6.1.0 (2023-06-16)
Added
v6.0.0 (2023-05-01)
Changed
- BREAKING CHANGE: Remove Hiera merge parameters #26 (treydock)
- Support Puppet 8, drop Puppet 6 and Ubuntu 18.04 #25 (treydock)
- Support more root key types, replace root_sshrsakey fact with root_ssh_key.rsa #24 (treydock)
- Drop Debian 9 support #22 (treydock)
Added
v5.1.2 (2022-06-21)
Fixed
v5.1.1 (2022-06-06)
Fixed
v5.1.0 (2022-05-17)
Added
v5.0.0 (2022-03-15)
Changed
v4.6.0 (2020-10-26)
Added
v4.5.0 (2020-10-21)
Added
v4.4.0 (2020-09-18)
Added
v4.3.0 (2020-05-12)
Added
v4.2.0 (2019-10-03)
Added
v4.1.1 (2019-05-09)
Added
Fixed
v4.1.0 (2019-05-07)
4.0.0 (2019-03-22)
3.0.0 (2017-10-26)
2.0.0 (2017-10-26)
1.0.0 (2014-05-09)
v0.0.3 (2013-06-12)
v0.0.2 (2013-05-14)
v0.0.1 (2013-05-14)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 10.0.0)
- puppetlabs/mailalias_core (>= 1.0.0 < 2.0.0)
- puppetlabs/sshkeys_core (>= 1.0.0 < 3.0.0)
Copyright (C) 2014 Trey Dockendorf <treydock@tamu.edu>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.