2

I'm configuring sudo module in puppet according to this code

class sudo {
 package { sudo:
   ensure => present,
 }
 if $operatingsystem == "Ubuntu" {
   package { "sudo-ldap":
     ensure => present,
     require => Package["sudo"],
   }
 }
 file { "/etc/sudoers":
    owner => "root",
    group => "root",
    mode => 0440,
    source => "puppet://$puppetserver/modules/sudo/etc/sudoers",
    replace => true,
    require => Package["sudo"],
  }
}

and got the following error :

If you have arranged other means to access the root account, and you are sure this is what you want, you may bypass this check by setting an environment variable (export SUDO_FORCE_REMOVE=yes).

What parameter and where should I put it into the code in order to make sudo command satisfies only the ssh-key without asking password.

Any suggestion would be appreciated.

Dominic Cleal
  • 3,120
  • 17
  • 16
bayou
  • 33
  • 3

2 Answers2

2

The error message you're getting indicates that by installing sudo-ldap that dpkg is removing sudo and the remove script is trying to warn you that this might leave you in a state without root access.

You can't set an environment variable from Puppet for dpkg, so you would need to launch the Puppet agent with the environment already set up (perhaps export from /etc/default/puppet or something similar such as an init script).

The question you're asking below though is something to do with sudo itself and is probably satisfied by using the NOPASSWD option in your /etc/sudoers file:

username ALL=(ALL) NOPASSWD: ALL

This allows "username" to sudo to any user, run any command without a password at all. No checking of SSH keys is done at this stage (it doesn't make sense), but the user could have connected to the system with an SSH key.

Dominic Cleal
  • 3,120
  • 17
  • 16
0

This won't work, it means that every puppet run, puppet will remove sudo-ldap and tries to install sudo, followed by installing sudo-ldap again.

The 'export SUDO_FORCE_REMOVE=yes' part was fixed by creating an executable file with the export statement and run it with an exec:

> ... 
>     if $ldap {
>     file {
>       '/tmp/delsudo.sh':
>         ensure  => present,
>         mode    => '0700',
>         content => 'export SUDO_FORCE_REMOVE=yes';
>     } ->
>     exec { '/tmp/delsudo.sh':
>       logoutput => on_failure;
>     } 
>     ...
Zenin
  • 211
  • 2
  • 4