Manage local users

Table of Contents
Table of Contents

In this tutorial we will show how to use CFEngine to manage users, add them to groups, setup their home directory and copy ssh-keys to their ~/.ssh directory as part of creating the user.

  1. Create some files and groups that we will use

Create the files id_rsa and id_rsa.pub in /tmp.

# touch /tmp/id_rsa /tmp/id_rsa.pub

Create user group security and webadmin.

# sudo groupadd security 
# sudo groupadd webadmin
  1. Create CFEngine policy called users.cf

Create a file /tmp/users.cf with the following content:

body common control
{
  inputs => { "$(sys.libdir)/stdlib.cf" };
}

bundle agent main
{
  vars:
  "users" slist => { "adam", "eva" };
  users:
    "$(users)"
    policy => "present",
    home_dir => "/home/$(users)",
    group_primary => "users",
    groups_secondary => { "security", "webadmin" },
    shell => "/bin/bash/",
    home_bundle => setup_home_dir("$(users)");
}

bundle agent setup_home_dir(user)
{
  vars:
    "keys" slist => { "id_rsa", "id_rsa.pub" };
  files:
    "/home/$(user)/." create => "true";
    "/home/$(user)/.ssh/." create => "true";
    "/home/$(user)/.ssh/$(keys)" copy_from => local_cp("/tmp/$(keys)");
}
  1. Test it out, and verify the result

Run CFEngine:

# /var/cfengine/bin/cf-agent -fK /tmp/users.cf

Verify the result: Have users have been created?

# grep -P "adam|eva" /etc/passwd

Congratulations! You should now see the users adam and eva listed.

Verify the result: Have users home directory have been created?

# ls /home | grep -P "adam|eva"

Congratulations! You should now see adam and eva listed.

Verify the result: Have users have been added to the correct groups?

# grep -P "adam|eva" /etc/group

Congratulations! You should now see adam and eva added to the groups security and webadmin. NOTE: CFEngine's users type promise will not create groups, so you must make sure the groups exists.

Verify the result: Have ssh-keys have been copied from /tmp to user’s ~/.ssh directory?

# ls /home/adam/.ssh /home/eva/.ssh

Congratulations! You should now see the files id_rsa and id_rsa.pub.

Ps. If you would like play around with the policy, delete the users after each run with the command

# deluser -r username

Mission accomplished!