diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-11-26 00:00:56 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-11-26 00:10:19 +0100 |
commit | 0503b1f07e839e2da7c2b26139eafeaee627a4a6 (patch) | |
tree | 02382c395dd55d03329506c55d8567c7487b3171 | |
parent | 31ed28823684241760bba4c543e3e35667b58c09 (diff) | |
download | Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.tar.gz Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.tar.zst Nix-0503b1f07e839e2da7c2b26139eafeaee627a4a6.zip |
Migrate FTP access ssh keys
-rw-r--r-- | deploy/flake.lock | 4 | ||||
-rw-r--r-- | flake.lock | 4 | ||||
-rw-r--r-- | flakes/flake.lock | 2 | ||||
-rwxr-xr-x | systems/eldiron/ftp_sync.sh | 48 |
4 files changed, 19 insertions, 39 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock index cda3008..f2517ef 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock | |||
@@ -2783,7 +2783,7 @@ | |||
2783 | }, | 2783 | }, |
2784 | "locked": { | 2784 | "locked": { |
2785 | "lastModified": 1, | 2785 | "lastModified": 1, |
2786 | "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=", | 2786 | "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=", |
2787 | "path": "../flakes", | 2787 | "path": "../flakes", |
2788 | "type": "path" | 2788 | "type": "path" |
2789 | }, | 2789 | }, |
@@ -3903,7 +3903,7 @@ | |||
3903 | }, | 3903 | }, |
3904 | "locked": { | 3904 | "locked": { |
3905 | "lastModified": 1, | 3905 | "lastModified": 1, |
3906 | "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=", | 3906 | "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=", |
3907 | "path": "../systems/eldiron", | 3907 | "path": "../systems/eldiron", |
3908 | "type": "path" | 3908 | "type": "path" |
3909 | }, | 3909 | }, |
@@ -2664,7 +2664,7 @@ | |||
2664 | }, | 2664 | }, |
2665 | "locked": { | 2665 | "locked": { |
2666 | "lastModified": 1, | 2666 | "lastModified": 1, |
2667 | "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=", | 2667 | "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=", |
2668 | "path": "./flakes", | 2668 | "path": "./flakes", |
2669 | "type": "path" | 2669 | "type": "path" |
2670 | }, | 2670 | }, |
@@ -3919,7 +3919,7 @@ | |||
3919 | }, | 3919 | }, |
3920 | "locked": { | 3920 | "locked": { |
3921 | "lastModified": 1, | 3921 | "lastModified": 1, |
3922 | "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=", | 3922 | "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=", |
3923 | "path": "../systems/eldiron", | 3923 | "path": "../systems/eldiron", |
3924 | "type": "path" | 3924 | "type": "path" |
3925 | }, | 3925 | }, |
diff --git a/flakes/flake.lock b/flakes/flake.lock index 64c9100..6dcee3d 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock | |||
@@ -3824,7 +3824,7 @@ | |||
3824 | }, | 3824 | }, |
3825 | "locked": { | 3825 | "locked": { |
3826 | "lastModified": 1, | 3826 | "lastModified": 1, |
3827 | "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=", | 3827 | "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=", |
3828 | "path": "../systems/eldiron", | 3828 | "path": "../systems/eldiron", |
3829 | "type": "path" | 3829 | "type": "path" |
3830 | }, | 3830 | }, |
diff --git a/systems/eldiron/ftp_sync.sh b/systems/eldiron/ftp_sync.sh index aff7178..6760aab 100755 --- a/systems/eldiron/ftp_sync.sh +++ b/systems/eldiron/ftp_sync.sh | |||
@@ -7,41 +7,21 @@ LDAP_PASS=$(cat /etc/ssh/ldap_password) | |||
7 | LDAP_HOST="ldap://ldap.immae.eu" | 7 | LDAP_HOST="ldap://ldap.immae.eu" |
8 | LDAP_BASE="dc=immae,dc=eu" | 8 | LDAP_BASE="dc=immae,dc=eu" |
9 | LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)" | 9 | LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)" |
10 | USER_LDAP_BASE="ou=users,dc=immae,dc=eu" | ||
10 | 11 | ||
11 | handle_keys() { | 12 | PSQL_BASE="immae" |
12 | uids="$1" | 13 | PSQL_HOST="localhost" |
13 | keys="$2" | 14 | PSQL_USER="immae_auth_read" |
14 | if [ -n "$uids" ]; then | 15 | PSQL_PASS=$(cat /etc/ssh/psql_password) |
15 | for uid in $uids; do | ||
16 | echo "$keys" | while read key; do | ||
17 | if [ -n "$key" ]; then | ||
18 | ssh-keygen -e -f <(echo "$key") | ||
19 | fi | ||
20 | done > /var/lib/proftpd/authorized_keys/$uid | ||
21 | done | ||
22 | fi | ||
23 | } | ||
24 | 16 | ||
25 | mkdir -p /var/lib/proftpd/authorized_keys | 17 | mkdir -p /var/lib/proftpd/authorized_keys |
26 | 18 | ||
27 | while read i; do | 19 | allowed_logins=$(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" '' \ |
28 | if [[ "$i" =~ ^dn: ]]; then | 20 | | grep "^dn.*$USER_LDAP_BASE$" \ |
29 | handle_keys "$uids" "$keys" | 21 | | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \ |
30 | uids="" | 22 | | paste -sd,) |
31 | keys="" | 23 | |
32 | fi; | 24 | PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'ftp' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do |
33 | if [[ "$i" =~ ^uid: ]]; then | 25 | touch /var/lib/proftpd/authorized_keys/$user |
34 | uids="$uids ${i#uid: }" | 26 | ssh-keygen -e -f <(echo "$key") >> /var/lib/proftpd/authorized_keys/$user |
35 | fi | 27 | done |
36 | if [[ "$i" =~ ^immaeSshKey: ]]; then | ||
37 | key="${i#immaeSshKey: }" | ||
38 | if [[ "$key" =~ ^ssh- ]]; then | ||
39 | keys="$keys | ||
40 | $key" | ||
41 | elif echo "$key" | cut -d" " -f1 | grep -q "\bftp\b"; then | ||
42 | keys="$keys | ||
43 | $(echo "$key" | cut -d" " -f2-)" | ||
44 | fi | ||
45 | fi | ||
46 | done < <(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" uid immaeSshKey) | ||
47 | handle_keys "$uids" "$keys" | ||