VL Users How It Works
VL users is a bash script that is run by cron job on all of our managed machines once an hour. Initially when a machine is provisioned by our Chef configuration management tool this script is installed into a cron job on the machine.
At the root directory of the repository there is a json file called "user_list.json". Open this file up and add your public key to the list along with your username. You may have more than one public key shared. The list is a json list so to add additional keys just put a comma and add your next key like this:
"snobym": [
"ssh-rsa AASASblahblahblah",
"ssh-rsa AAANzadblahblahblah"
],
Every hour the create_user.bash script will run on all the hosts and pull this file and make any changes that are needed. Either adding users or deleting users.
Once an hour a cron job executes the script vl-users/create_user.bash on every machine managed by tropo-operations. This script uses curl to retreive the user_list.json file.
The groups file on the machine is queried for the voxeolabs group if that group does not exist on the machine the voxeolabs group is created.
the /etc/sudoers file is queried to see if the group voxeolabs has an entry for "NOPASSWD". If this does not exist or does not include the NOPASSWD option then the script adds the NOPASSWD option to all the users of the group voxeolabs.
A check is made to see if this script has ever been run on this machine before. If this is the first time a new empty file by the name /etc/voxeolabs/installed_users.txt is created.
For every user in the vl_users.json file the script:
-
constructs the authorized_key file so that the user can ssh into the machine without a password. This includes accounts that have multple rsa public keys in their account.
-
If the user is a new user than a new account is created on the machine and the shell is setup to be bash and the .ssh directory is created along with the authorized_key file for that user is populated.
-
If the user is being removed from the list, then the account is deleted from the machine.
Finally the list of voxeolab users that this machine allows access to is saved off so that it can be used to compare to the next time this script is run. That way we know quickly if any user needs creating or to be deleted.
Finally the user id "support" is verified that he is NOT in the voxeolabs group. If he is not than the user is modified to be in his own group called support.