diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /flakes/private/ssh/ldap_authorized_keys.sh | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'flakes/private/ssh/ldap_authorized_keys.sh')
-rwxr-xr-x | flakes/private/ssh/ldap_authorized_keys.sh | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/flakes/private/ssh/ldap_authorized_keys.sh b/flakes/private/ssh/ldap_authorized_keys.sh new file mode 100755 index 0000000..f4395be --- /dev/null +++ b/flakes/private/ssh/ldap_authorized_keys.sh | |||
@@ -0,0 +1,62 @@ | |||
1 | #!/usr/bin/env bash | ||
2 | |||
3 | LDAPSEARCH=ldapsearch | ||
4 | KEY="immaeSshKey" | ||
5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | ||
6 | LDAP_PASS=$(cat /etc/ssh/ldap_password) | ||
7 | LDAP_HOST="ldap://ldap.immae.eu" | ||
8 | LDAP_BASE="dc=immae,dc=eu" | ||
9 | USER_LDAP_BASE="ou=users,dc=immae,dc=eu" | ||
10 | |||
11 | PSQL_BASE="immae" | ||
12 | PSQL_HOST="localhost" | ||
13 | PSQL_USER="immae_auth_read" | ||
14 | PSQL_PASS=$(cat /etc/ssh/psql_password) | ||
15 | |||
16 | suitable_for() { | ||
17 | type_for="$1" | ||
18 | key="$2" | ||
19 | |||
20 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
21 | echo "$key" | ||
22 | else | ||
23 | key_type=$(cut -d " " -f 1 <<< "$key") | ||
24 | |||
25 | if grep -q "\b-$type_for\b" <<< "$key_type"; then | ||
26 | echo "" | ||
27 | elif grep -q "\b$type_for\b" <<< "$key_type"; then | ||
28 | echo $(sed -e "s/^[^ ]* //g" <<< "$key") | ||
29 | else | ||
30 | echo "" | ||
31 | fi | ||
32 | fi | ||
33 | } | ||
34 | |||
35 | clean_key_line() { | ||
36 | type_for="$1" | ||
37 | line="$2" | ||
38 | |||
39 | if [[ "$line" == $KEY::* ]]; then | ||
40 | # base64 keys should't happen, unless wrong copy-pasting | ||
41 | key="" | ||
42 | else | ||
43 | key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") | ||
44 | fi | ||
45 | |||
46 | suitable_for "$type_for" "$key" | ||
47 | } | ||
48 | |||
49 | ldap_search() { | ||
50 | $LDAPSEARCH -H $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" | ||
51 | } | ||
52 | |||
53 | psql_search() { | ||
54 | PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "$@" | ||
55 | } | ||
56 | |||
57 | ldap_keys() { | ||
58 | user=$1; | ||
59 | @snippets@ | ||
60 | } | ||
61 | |||
62 | ldap_keys $@ | ||