Option to purge old authorized keys
diff --git a/README.rst b/README.rst
index 747c2c4..eab4d06 100644
--- a/README.rst
+++ b/README.rst
@@ -58,7 +58,9 @@
address: 0.0.0.0
port: 22
-OpenSSH server with auth keys for users
+OpenSSH server with auth keys for users.
+Parameter ``purge`` will ensure exact authorized_keys contents co undefined
+keys will be removed.
.. code-block:: yaml
@@ -77,6 +79,7 @@
- ${public_keys:newt}
root:
enabled: true
+ purge: true
user: ${linux:system:user:root}
public_keys:
- ${public_keys:newt}
diff --git a/openssh/client/service.sls b/openssh/client/service.sls
index a835c30..aa1fcae 100644
--- a/openssh/client/service.sls
+++ b/openssh/client/service.sls
@@ -30,7 +30,7 @@
{{ user.user.home }}/.ssh:
file.directory:
- user: {{ user.user.name }}
- - mode: 755
+ - mode: 700
- makedirs: true
- require:
- pkg: openssh_client_packages
diff --git a/openssh/files/authorized_keys b/openssh/files/authorized_keys
new file mode 100644
index 0000000..0cbd730
--- /dev/null
+++ b/openssh/files/authorized_keys
@@ -0,0 +1,12 @@
+{%- from "openssh/map.jinja" import server with context -%}# This file is managed by Salt. Manual changes will be overwritten.
+{%- for name, user in server.user.iteritems() -%}
+{%- if user.user.name == user_name -%}
+{%- for public_key in user.public_keys %}
+{{ public_key.key }}
+{%- endfor -%}
+{%- endif -%}
+{%- endfor -%}
+
+{#-
+vim: syntax=jinja
+-#}
diff --git a/openssh/server/public_key.sls b/openssh/server/public_key.sls
index 293d015..71fcbf3 100644
--- a/openssh/server/public_key.sls
+++ b/openssh/server/public_key.sls
@@ -5,6 +5,30 @@
{%- if user.public_keys is defined %}
+{%- if user.get('purge', False) %}
+
+{{ user.user.name }}_ssh_dir:
+ file.directory:
+ - name: {{ user.user.home }}/.ssh
+ - user: {{ user.user.name }}
+ - group: {{ user.user.name }}
+ - mode: 700
+
+{{ user.user.name }}_auth_keys:
+ file.managed:
+ - name: {{ user.user.home }}/.ssh/authorized_keys
+ - user: {{ user.user.name }}
+ - group: {{ user.user.name }}
+ - mode: 644
+ - template: jinja
+ - source: salt://openssh/files/authorized_keys
+ - require:
+ - file: {{ user.user.name }}_ssh_dir
+ - defaults:
+ user_name: {{ user.user.name }}
+
+{%- else %}
+
{{ user.user.name }}_auth_keys:
ssh_auth.present:
- user: {{ user.user.name }}
@@ -15,6 +39,8 @@
{%- endif %}
+{%- endif %}
+
{%- endfor %}
-{%- endif %}
\ No newline at end of file
+{%- endif %}