From 5190cb0fd293e5dffb1d5c06f7023703ea5d85d5 Mon Sep 17 00:00:00 2001
From: Michiel van Baak <michiel@vanbaak.info>
Date: Fri, 4 Sep 2015 12:04:53 +0200
Subject: [PATCH 1/5] Make sure the .ssh directory has sane permissions.
 Prepare for provisioning private keys as well

---
 users        | 2 +-
 users_ubuntu | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/users b/users
index 315de83..170a68a 100755
--- a/users
+++ b/users
@@ -40,7 +40,7 @@ if "provision" == sys.argv[1]:
 											username))
 
 		key.key = user['email']
-		os.system("/bin/mkdir --mode=0755 -p /home/{0}/.ssh".format(username))
+		os.system("/bin/mkdir --mode=0700 -p /home/{0}/.ssh".format(username))
 		key.get_contents_to_filename(
 							"/home/{0}/.ssh/authorized_keys".format(username))
 		os.system("chown -R {0}.{0} /home/{0}".format(username))
diff --git a/users_ubuntu b/users_ubuntu
index abd0085..a8d069c 100644
--- a/users_ubuntu
+++ b/users_ubuntu
@@ -44,7 +44,7 @@ if "provision" == sys.argv[1]:
                 os.system(command)
 
                 key.key = user['email']
-                os.system("/bin/mkdir --mode=0755 -p /home/{0}/.ssh".format(username))
+                os.system("/bin/mkdir --mode=0700 -p /home/{0}/.ssh".format(username))
                 key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
                 os.system("chown -R {0}.{0} /home/{0}".format(username))

From 8b400ca12be7741272ca03c1c6f75bfd68033c20 Mon Sep 17 00:00:00 2001
From: Michiel van Baak <michiel@vanbaak.info>
Date: Fri, 4 Sep 2015 12:11:58 +0200
Subject: [PATCH 2/5] If the bucket also has a file {$email}.private provision
 this as {$user}/.ssh/id_rsa private key

---
 users        | 17 +++++++++++++++++
 users_ubuntu | 16 ++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/users b/users
index 170a68a..773f092 100755
--- a/users
+++ b/users
@@ -43,6 +43,14 @@ if "provision" == sys.argv[1]:
 		os.system("/bin/mkdir --mode=0700 -p /home/{0}/.ssh".format(username))
 		key.get_contents_to_filename(
 							"/home/{0}/.ssh/authorized_keys".format(username))
+		try:
+			key.key = "{0}.private".fromat(user['email'])
+			key.exists()
+			key.get_contents_to_filename(
+							"/home/{0}/.ssh/id_rsa".format(username))
+		except:
+			sys.stdout.write(" {0} has no private key to provision".format(username))
+
 		os.system("chown -R {0}.{0} /home/{0}".format(username))
 elif "remove" == sys.argv[1]:
 	for username in userdata['security']['users']:
@@ -65,6 +73,15 @@ elif "update" == sys.argv[1]:
 		except:
 			os.remove("/home/{0}/.ssh/authorized_keys".format(username))
 
+		try:
+			key.key = "{0}.private".fromat(user['email'])
+			key.exists()
+			key.get_contents_to_filename(
+							"/home/{0}/.ssh/id_rsa".format(username))
+		except:
+			# also remove
+			os.remove("/home/{0}/.ssh/id_rsa".format(username))
+
 		os.system("chown -R {0}.{0} /home/{0}".format(username))
 else:
 	pass
diff --git a/users_ubuntu b/users_ubuntu
index a8d069c..fc2cb1c 100644
--- a/users_ubuntu
+++ b/users_ubuntu
@@ -47,6 +47,14 @@ if "provision" == sys.argv[1]:
                 os.system("/bin/mkdir --mode=0700 -p /home/{0}/.ssh".format(username))
                 key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
+                try:
+                        key.key = "{0}.private".fromat(user['email'])
+                        key.exists()
+                        key.get_contents_to_filename(
+                                                        "/home/{0}/.ssh/id_rsa".format(username))
+                except:
+                        sys.stdout.write(" {0} has no private key to provision".format(username))
+
                 os.system("chown -R {0}.{0} /home/{0}".format(username))
 elif "remove" == sys.argv[1]:
         for username in userdata['security']['users']:
@@ -68,6 +76,14 @@ elif "update" == sys.argv[1]:
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
                 except:
                         os.remove("/home/{0}/.ssh/authorized_keys".format(username))
+                try:
+                        key.key = "{0}.private".fromat(user['email'])
+                        key.exists()
+                        key.get_contents_to_filename(
+                                                        "/home/{0}/.ssh/id_rsa".format(username))
+                except:
+                        # also remove
+                        os.remove("/home/{0}/.ssh/id_rsa".format(username))
 
                 os.system("chown -R {0}.{0} /home/{0}".format(username))
 else:

From 97ab475d6eb2ce43d467c2ddcf87409d2eef2431 Mon Sep 17 00:00:00 2001
From: Michiel van Baak <michiel@vanbaak.info>
Date: Fri, 4 Sep 2015 12:16:47 +0200
Subject: [PATCH 3/5] update README with latest new feature

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4abd242..f4e570f 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@ Launching an instance with the following as userdata will create users
     }
 
 This userdata points to the bucket keys.30mhz.com, and expects an object with the name `jasper@9apps.net`, for the key of the user `jasper`.
+If the bucket has an object with the name `jasper@9apps.net.private` this file will be installed as a private ssh key for the user `jasper`.
 
 ## Requirements
 
@@ -86,5 +87,6 @@ User accounts on instances in most systems are only used for (administering) acc
 * full name (comment)
 * groups
 * authorized keys
+* private key (optional)
 
-We put username, email, full name and groups in userdata. Authorized keys are stored in S3, in objects with the email as their key name.
+We put username, email, full name and groups in userdata. Authorized and private keys are stored in S3, in objects with the email as their key name.

From 4549612dabfc720ab58f3f56c653758122417dac Mon Sep 17 00:00:00 2001
From: Michiel van Baak <michiel@vanbaak.info>
Date: Fri, 4 Sep 2015 12:27:10 +0200
Subject: [PATCH 4/5] fix typo. Set correct permissions on the private keyfile
 otherwise ssh refuses to use it

---
 users        | 6 ++++--
 users_ubuntu | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/users b/users
index 773f092..a3adad3 100755
--- a/users
+++ b/users
@@ -44,10 +44,11 @@ if "provision" == sys.argv[1]:
 		key.get_contents_to_filename(
 							"/home/{0}/.ssh/authorized_keys".format(username))
 		try:
-			key.key = "{0}.private".fromat(user['email'])
+			key.key = "{0}.private".format(user['email'])
 			key.exists()
 			key.get_contents_to_filename(
 							"/home/{0}/.ssh/id_rsa".format(username))
+			os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
 		except:
 			sys.stdout.write(" {0} has no private key to provision".format(username))
 
@@ -74,10 +75,11 @@ elif "update" == sys.argv[1]:
 			os.remove("/home/{0}/.ssh/authorized_keys".format(username))
 
 		try:
-			key.key = "{0}.private".fromat(user['email'])
+			key.key = "{0}.private".format(user['email'])
 			key.exists()
 			key.get_contents_to_filename(
 							"/home/{0}/.ssh/id_rsa".format(username))
+			os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
 		except:
 			# also remove
 			os.remove("/home/{0}/.ssh/id_rsa".format(username))
diff --git a/users_ubuntu b/users_ubuntu
index fc2cb1c..62a945d 100644
--- a/users_ubuntu
+++ b/users_ubuntu
@@ -48,10 +48,11 @@ if "provision" == sys.argv[1]:
                 key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
                 try:
-                        key.key = "{0}.private".fromat(user['email'])
+                        key.key = "{0}.private".format(user['email'])
                         key.exists()
                         key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/id_rsa".format(username))
+                        os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
                 except:
                         sys.stdout.write(" {0} has no private key to provision".format(username))
 
@@ -77,10 +78,11 @@ elif "update" == sys.argv[1]:
                 except:
                         os.remove("/home/{0}/.ssh/authorized_keys".format(username))
                 try:
-                        key.key = "{0}.private".fromat(user['email'])
+                        key.key = "{0}.private".format(user['email'])
                         key.exists()
                         key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/id_rsa".format(username))
+                        os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
                 except:
                         # also remove
                         os.remove("/home/{0}/.ssh/id_rsa".format(username))

From 97142b1c291d6194789bab9d9ccb4d3653ac3d63 Mon Sep 17 00:00:00 2001
From: Michiel van Baak <michiel@vanbaak.info>
Date: Fri, 4 Sep 2015 15:14:37 +0200
Subject: [PATCH 5/5] For some reason using only one "key" object confused the
 whole script when there are users without a private key on s3

---
 users        | 12 ++++++------
 users_ubuntu | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/users b/users
index a3adad3..64e9178 100755
--- a/users
+++ b/users
@@ -28,6 +28,7 @@ if not ('security' in userdata and 'users' in userdata['security']):
 s3 = boto.connect_s3()
 keys = s3.get_bucket(userdata['security']['bucket'], validate=False)
 key = boto.s3.key.Key(keys)
+privatekey = boto.s3.key.Key(keys)
 
 if "provision" == sys.argv[1]:
 	for username in userdata['security']['users']:
@@ -44,9 +45,8 @@ if "provision" == sys.argv[1]:
 		key.get_contents_to_filename(
 							"/home/{0}/.ssh/authorized_keys".format(username))
 		try:
-			key.key = "{0}.private".format(user['email'])
-			key.exists()
-			key.get_contents_to_filename(
+			privatekey.key = "{0}.private".format(user['email'])
+			privatekey.get_contents_to_filename(
 							"/home/{0}/.ssh/id_rsa".format(username))
 			os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
 		except:
@@ -75,9 +75,9 @@ elif "update" == sys.argv[1]:
 			os.remove("/home/{0}/.ssh/authorized_keys".format(username))
 
 		try:
-			key.key = "{0}.private".format(user['email'])
-			key.exists()
-			key.get_contents_to_filename(
+			privatekey.key = "{0}.private".format(user['email'])
+			privatekey.exists()
+			privatekey.get_contents_to_filename(
 							"/home/{0}/.ssh/id_rsa".format(username))
 			os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
 		except:
diff --git a/users_ubuntu b/users_ubuntu
index 62a945d..1858dca 100644
--- a/users_ubuntu
+++ b/users_ubuntu
@@ -30,6 +30,7 @@ if not ('security' in userdata and 'users' in userdata['security']):
 s3 = boto.connect_s3()
 keys = s3.get_bucket(userdata['security']['bucket'], validate=False)
 key = boto.s3.key.Key(keys)
+privatekey = boto.s3.key.Key(keys)
 
 if "provision" == sys.argv[1]:
         for username in userdata['security']['users']:
@@ -48,9 +49,8 @@ if "provision" == sys.argv[1]:
                 key.get_contents_to_filename(
                                                         "/home/{0}/.ssh/authorized_keys".format(username))
                 try:
-                        key.key = "{0}.private".format(user['email'])
-                        key.exists()
-                        key.get_contents_to_filename(
+                        privatekey.key = "{0}.private".format(user['email'])
+                        privatekey.get_contents_to_filename(
                                                         "/home/{0}/.ssh/id_rsa".format(username))
                         os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
                 except:
@@ -78,9 +78,9 @@ elif "update" == sys.argv[1]:
                 except:
                         os.remove("/home/{0}/.ssh/authorized_keys".format(username))
                 try:
-                        key.key = "{0}.private".format(user['email'])
-                        key.exists()
-                        key.get_contents_to_filename(
+                        privatekey.key = "{0}.private".format(user['email'])
+                        privatekey.exists()
+                        privatekey.get_contents_to_filename(
                                                         "/home/{0}/.ssh/id_rsa".format(username))
                         os.system("chmod 600 /home/{0}/.ssh/id_rsa".format(username))
                 except: