]>
git.immae.eu Git - perso/Immae/Config/Nix.git/blob - nixops/modules/ssh/ldap_authorized_keys.sh
5 LDAP_BIND
="cn=ssh,ou=services,dc=immae,dc=eu"
6 LDAP_PASS
=$(cat /etc/ssh/ldap_password)
7 LDAP_HOST
="ldap.immae.eu"
8 LDAP_MEMBER
="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
9 LDAP_GITOLITE_MEMBER
="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
10 LDAP_PUB_RESTRICT_MEMBER
="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
11 LDAP_PUB_FORWARD_MEMBER
="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
12 LDAP_BASE
="dc=immae,dc=eu"
13 GITOLITE_SHELL
=$(which gitolite-shell)
20 if [[ $key != *$
'\n'* ]] && [[ $key == ssh-* ]]; then
23 key_type
=$(cut -d " " -f 1 <<< "$key")
25 if grep -q "\b-$type_for\b" <<< "$key_type"; then
27 elif grep -q "\b$type_for\b" <<< "$key_type"; then
28 echo $(sed -e "s/^[^ ]* //g" <<< "$key")
39 if [[ "$line" == $KEY::* ]]; then
40 # base64 keys should't happen, unless wrong copy-pasting
43 key
=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
46 suitable_for
"$type_for" "$key"
50 $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif
-wrap=no
-LLL "$@"
55 if [[ $user == gitolite
]]; then
56 ldap_search
'(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
59 if [ ! -z "$line" ]; then
60 if [[ $line == dn
* ]]; then
61 user
=$(sed -n 's/.*uid=\([^,]*\).
*/\
1/p
' <<< "$line")
62 if [ -n "$user" ]; then
63 if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
64 # Capitalize first letter (backward compatibility)
65 user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
69 user
=$(sed -n 's/.*cn=\([^,]*\).
*/\
1/p
' <<< "$line")
71 elif [[ $line == $KEY* ]]; then
72 key=$(clean_key_line git "$line")
73 if [ ! -z "$key" ]; then
74 if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
75 echo -n 'command="'$GITOLITE_SHELL' '$user'",no
-port-forwarding,no
-X11-forwarding,no
-agent-forwarding,no
-pty '
83 elif [[ $user == pub ]]; then
84 ldap_search '(&(memberOf
='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
87 if [ ! -z "$line" ]; then
88 if [[ $line == dn* ]]; then
90 user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
92 elif [[ $line == $KEY* ]]; then
93 key
=$(clean_key_line pub "$line")
94 key_forward
=$(clean_key_line forward "$line")
95 if [ ! -z "$key" ]; then
96 if [[ $key != *$
'\n'* ]] && [[ $key == ssh-* ]]; then
97 echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
100 elif [ ! -z "$key_forward" ]; then
101 if [[ $key_forward != *$
'\n'* ]] && [[ $key_forward == ssh-* ]]; then
102 echo "# forward only"
103 echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
112 ldap_search
'(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
115 if [ ! -z "$line" ]; then
116 if [[ $line == dn
* ]]; then
118 user
=$(sed -n 's/.*uid=\([^,]*\).
*/\
1/p
' <<< "$line")
120 elif [[ $line == $KEY* ]]; then
121 key=$(clean_key_line forward "$line")
122 if [ ! -z "$key" ]; then
123 if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
124 echo -n 'no
-pty,no
-X11-forwarding,command="'$ECHO' forward only" '
133 ldap_search '(&(memberOf
='$LDAP_MEMBER')('$KEY'=*)(uid
='$user'))' $KEY | \
136 if [ ! -z "$line" ]; then
137 if [[ $line == dn* ]]; then
138 user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
139 elif [[ $line == $KEY* ]]; then
140 key
=$(clean_key_line ssh "$line")
141 if [ ! -z "$key" ]; then
142 if [[ $key != *$
'\n'* ]] && [[ $key == ssh-* ]]; then