cleanup SSH user keys management

While trying to deploy pgbackrest, I stumbled upon, again, the problem of how we manage SSH authorized_keys files in Puppet.

While there are many with the type (i filed all of those), our stuff is pretty confusing. Here's our SSH configuration declaring what the authorized keys files are:

AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userkeys/%u.more /etc/ssh/puppetkeys/%u

In long form, that is:

• /etc/ssh/userkeys/%u
• /var/lib/misc/userkeys/%u
• /etc/ssh/userkeys/%u.more
• /etc/ssh/puppetkeys/%u

Note that the default is AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys2. We don't use that (presumably) because we don't want people to manage their SSH keys themselves: we want them to do that through LDAP.

So that's the reason for /var/lib/misc/userkeys/%u, I guess: that's where ud-replicate will distribute the keys generated on the LDAP server, those from ud-generate.

/etc/ssh/puppetkeys/%u, i guess, is for keys deployed by Puppet... But what about /etc/ssh/userkeys/%u?? And WTF is /etc/ssh/userkeys/%u.more??

I've personnally used /etc/ssh/userkeys/%u.more as a temporary place to throw a key that I know won't be rewritten by Puppet, but ugh, that's bad!

I should also note that /etc/ssh/userkeys/%u is used ALL OVER THE PLACE by Puppet (!?) to deploy keys. So I'm really not sure WTF that directory is anymore.

I think we should simplify this to hell. Keep only two directories:

• /var/lib/misc/userkeys/%u
• /etc/ssh/puppetkeys/%u

Eradicate all /etc/ssh/userkeys from all servers. If there are some we don't want, maybe we could restore that, but certainly don't allow a gaping .more hole in there.

Also: we should have a solid policy that keys deployed from Puppet shouldn't be writable by the user. Puppet is the boss here, users shouldn't be able to inject keys in there, particularly if we don't trust the key type to properly purge keys that actually works fine, if the User type is correctly overriden (which might not be the case everywhere).

Note that deploying this is complicated because we have two types defining SSH keys on servers, the "normal" ssh_authorized_key type, and a the ssh::authorized_key_add and related _collect that is based on fragments. Those won't play well together, and might currently overlap if we shift everything to puppetkeys, particularly on the Ganeti servers.

So, checklist:

• retire the .more thing (audit servers for presence, eradicate)
• move all keys deployed by puppet to puppetkeys (with exceptions properly documented, userkeys-cleanup branch in puppet)
• ensure that all managed keys are "purged" (User.purge_ssh... set properly)
• retire the ssh::authorized_keys_add and _collect resources