Migrate FTP access ssh keys

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-11-26 00:00:56 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-11-26 00:10:19 +0100
commit: 0503b1f07e839e2da7c2b26139eafeaee627a4a6 (patch)
tree: 02382c395dd55d03329506c55d8567c7487b3171
parent: 31ed28823684241760bba4c543e3e35667b58c09 (diff)
download: Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.tar.gz
Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.tar.zst
Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.zip
4 files changed, 19 insertions, 39 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index cda3008..f2517ef 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=",
+        "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=",
        "path": "../flakes",
        "type": "path"
      },
@@ -3903,7 +3903,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",
+        "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/flake.lock b/flake.lock
index d1f5a88..47a4bd6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=",
+        "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=",
        "path": "./flakes",
        "type": "path"
      },
@@ -3919,7 +3919,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",
+        "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 64c9100..6dcee3d 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",
+        "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/systems/eldiron/ftp_sync.sh b/systems/eldiron/ftp_sync.sh
index aff7178..6760aab 100755
--- a/systems/eldiron/ftp_sync.sh
+++ b/systems/eldiron/ftp_sync.sh
@@ -7,41 +7,21 @@ LDAP_PASS=$(cat /etc/ssh/ldap_password)
 LDAP_HOST="ldap://ldap.immae.eu"
 LDAP_BASE="dc=immae,dc=eu"
 LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)"
+USER_LDAP_BASE="ou=users,dc=immae,dc=eu"
-handle_keys() {
+PSQL_BASE="immae"
-  uids="$1"
+PSQL_HOST="localhost"
-  keys="$2"
+PSQL_USER="immae_auth_read"
-  if [ -n "$uids" ]; then
+PSQL_PASS=$(cat /etc/ssh/psql_password)
-    for uid in $uids; do
-      echo "$keys" | while read key; do
-        if [ -n "$key" ]; then
-          ssh-keygen -e -f <(echo "$key")
-        fi
-      done > /var/lib/proftpd/authorized_keys/$uid
-    done
-  fi
-}
 mkdir -p /var/lib/proftpd/authorized_keys
-while read i; do
+allowed_logins=$(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" '' \
-  if [[ "$i" =~ ^dn: ]]; then
+    | grep "^dn.*$USER_LDAP_BASE$" \
-    handle_keys "$uids" "$keys"
+    | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
-    uids=""
+    | paste -sd,)
-    keys=""
-  fi;
+PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'ftp' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do
-  if [[ "$i" =~ ^uid: ]]; then
+  touch /var/lib/proftpd/authorized_keys/$user
-    uids="$uids ${i#uid: }"
+  ssh-keygen -e -f <(echo "$key") >> /var/lib/proftpd/authorized_keys/$user
-  fi
+done
-  if [[ "$i" =~ ^immaeSshKey: ]]; then
-    key="${i#immaeSshKey: }"
-    if [[ "$key" =~ ^ssh- ]]; then
-      keys="$keys
-$key"
-    elif echo "$key" | cut -d" " -f1 | grep -q "\bftp\b"; then
-      keys="$keys
-$(echo "$key" | cut -d" " -f2-)"
-    fi
-  fi
-done < <(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" uid immaeSshKey)
-handle_keys "$uids" "$keys"
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-11-26 00:00:56 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-11-26 00:10:19 +0100
commit	0503b1f07e839e2da7c2b26139eafeaee627a4a6 (patch)
tree	02382c395dd55d03329506c55d8567c7487b3171
parent	31ed28823684241760bba4c543e3e35667b58c09 (diff)
download	Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.tar.gz Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.tar.zst Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.zip

diff --git a/deploy/flake.lock b/deploy/flake.lock index cda3008..f2517ef 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783	},	2783	},
2784	"locked": {	2784	"locked": {
2785	"lastModified": 1,	2785	"lastModified": 1,
2786	"narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=",	2786	"narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=",
2787	"path": "../flakes",	2787	"path": "../flakes",
2788	"type": "path"	2788	"type": "path"
2789	},	2789	},
@@ -3903,7 +3903,7 @@
3903	},	3903	},
3904	"locked": {	3904	"locked": {
3905	"lastModified": 1,	3905	"lastModified": 1,
3906	"narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",	3906	"narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
3907	"path": "../systems/eldiron",	3907	"path": "../systems/eldiron",
3908	"type": "path"	3908	"type": "path"
3909	},	3909	},


diff --git a/flake.lock b/flake.lock index d1f5a88..47a4bd6 100644 --- a/flake.lock +++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664	},	2664	},
2665	"locked": {	2665	"locked": {
2666	"lastModified": 1,	2666	"lastModified": 1,
2667	"narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=",	2667	"narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=",
2668	"path": "./flakes",	2668	"path": "./flakes",
2669	"type": "path"	2669	"type": "path"
2670	},	2670	},
@@ -3919,7 +3919,7 @@
3919	},	3919	},
3920	"locked": {	3920	"locked": {
3921	"lastModified": 1,	3921	"lastModified": 1,
3922	"narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",	3922	"narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
3923	"path": "../systems/eldiron",	3923	"path": "../systems/eldiron",
3924	"type": "path"	3924	"type": "path"
3925	},	3925	},


diff --git a/flakes/flake.lock b/flakes/flake.lock index 64c9100..6dcee3d 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
3824	},	3824	},
3825	"locked": {	3825	"locked": {
3826	"lastModified": 1,	3826	"lastModified": 1,
3827	"narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=",	3827	"narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=",
3828	"path": "../systems/eldiron",	3828	"path": "../systems/eldiron",
3829	"type": "path"	3829	"type": "path"
3830	},	3830	},


diff --git a/systems/eldiron/ftp_sync.sh b/systems/eldiron/ftp_sync.sh index aff7178..6760aab 100755 --- a/systems/eldiron/ftp_sync.sh +++ b/systems/eldiron/ftp_sync.sh
@@ -7,41 +7,21 @@ LDAP_PASS=$(cat /etc/ssh/ldap_password)
7	LDAP_HOST="ldap://ldap.immae.eu"	7	LDAP_HOST="ldap://ldap.immae.eu"
8	LDAP_BASE="dc=immae,dc=eu"	8	LDAP_BASE="dc=immae,dc=eu"
9	LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)"	9	LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)"
		10	USER_LDAP_BASE="ou=users,dc=immae,dc=eu"
10		11
11	handle_keys() {	12	PSQL_BASE="immae"
12	uids="$1"	13	PSQL_HOST="localhost"
13	keys="$2"	14	PSQL_USER="immae_auth_read"
14	if [ -n "$uids" ]; then	15	PSQL_PASS=$(cat /etc/ssh/psql_password)
15	for uid in $uids; do
16	echo "$keys" \| while read key; do
17	if [ -n "$key" ]; then
18	ssh-keygen -e -f <(echo "$key")
19	fi
20	done > /var/lib/proftpd/authorized_keys/$uid
21	done
22	fi
23	}
24		16
25	mkdir -p /var/lib/proftpd/authorized_keys	17	mkdir -p /var/lib/proftpd/authorized_keys
26		18
27	while read i; do	19	allowed_logins=$(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" '' \
28	if [[ "$i" =~ ^dn: ]]; then	20	\| grep "^dn.*$USER_LDAP_BASE$" \
29	handle_keys "$uids" "$keys"	21	\| sed -e "s/^dn: uid=\([^,]\),.$USER_LDAP_BASE$/'\1'/" \
30	uids=""	22	\| paste -sd,)
31	keys=""	23
32	fi;	24	PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'ftp' = ANY(usage) AND login IN ($allowed_logins);" \| while IFS='\|' read user key; do
33	if [[ "$i" =~ ^uid: ]]; then	25	touch /var/lib/proftpd/authorized_keys/$user
34	uids="$uids ${i#uid: }"	26	ssh-keygen -e -f <(echo "$key") >> /var/lib/proftpd/authorized_keys/$user
35	fi	27	done
36	if [[ "$i" =~ ^immaeSshKey: ]]; then
37	key="${i#immaeSshKey: }"
38	if [[ "$key" =~ ^ssh- ]]; then
39	keys="$keys
40	$key"
41	elif echo "$key" \| cut -d" " -f1 \| grep -q "\bftp\b"; then
42	keys="$keys
43	$(echo "$key" \| cut -d" " -f2-)"
44	fi
45	fi
46	done < <(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" uid immaeSshKey)
47	handle_keys "$uids" "$keys"