},
"locked": {
"lastModified": 1,
- "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=",
+ "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=",
"path": "../flakes",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",
+ "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
"path": "../systems/eldiron",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=",
+ "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=",
"path": "./flakes",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",
+ "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
"path": "../systems/eldiron",
"type": "path"
},
LDAP_HOST="ldap://ldap.immae.eu"
LDAP_BASE="dc=immae,dc=eu"
LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)"
+USER_LDAP_BASE="ou=users,dc=immae,dc=eu"
-handle_keys() {
- uids="$1"
- keys="$2"
- if [ -n "$uids" ]; then
- for uid in $uids; do
- echo "$keys" | while read key; do
- if [ -n "$key" ]; then
- ssh-keygen -e -f <(echo "$key")
- fi
- done > /var/lib/proftpd/authorized_keys/$uid
- done
- fi
-}
+PSQL_BASE="immae"
+PSQL_HOST="localhost"
+PSQL_USER="immae_auth_read"
+PSQL_PASS=$(cat /etc/ssh/psql_password)
mkdir -p /var/lib/proftpd/authorized_keys
-while read i; do
- if [[ "$i" =~ ^dn: ]]; then
- handle_keys "$uids" "$keys"
- uids=""
- keys=""
- fi;
- if [[ "$i" =~ ^uid: ]]; then
- uids="$uids ${i#uid: }"
- fi
- if [[ "$i" =~ ^immaeSshKey: ]]; then
- key="${i#immaeSshKey: }"
- if [[ "$key" =~ ^ssh- ]]; then
- keys="$keys
-$key"
- elif echo "$key" | cut -d" " -f1 | grep -q "\bftp\b"; then
- keys="$keys
-$(echo "$key" | cut -d" " -f2-)"
- fi
- fi
-done < <(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" uid immaeSshKey)
-handle_keys "$uids" "$keys"
+allowed_logins=$(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" '' \
+ | grep "^dn.*$USER_LDAP_BASE$" \
+ | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
+ | paste -sd,)
+
+PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'ftp' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do
+ touch /var/lib/proftpd/authorized_keys/$user
+ ssh-keygen -e -f <(echo "$key") >> /var/lib/proftpd/authorized_keys/$user
+done
projects / perso / Immae / Config / Nix.git / commitdiff
