diff options
Diffstat (limited to 'modules/private/ssh/ldap_authorized_keys.sh')
-rwxr-xr-x | modules/private/ssh/ldap_authorized_keys.sh | 102 |
1 files changed, 1 insertions, 101 deletions
diff --git a/modules/private/ssh/ldap_authorized_keys.sh b/modules/private/ssh/ldap_authorized_keys.sh index d556452..402f283 100755 --- a/modules/private/ssh/ldap_authorized_keys.sh +++ b/modules/private/ssh/ldap_authorized_keys.sh | |||
@@ -5,13 +5,7 @@ KEY="immaeSshKey" | |||
5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" | 5 | LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" |
6 | LDAP_PASS=$(cat /etc/ssh/ldap_password) | 6 | LDAP_PASS=$(cat /etc/ssh/ldap_password) |
7 | LDAP_HOST="ldap.immae.eu" | 7 | LDAP_HOST="ldap.immae.eu" |
8 | LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" | ||
9 | LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" | ||
10 | LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" | ||
11 | LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" | ||
12 | LDAP_BASE="dc=immae,dc=eu" | 8 | LDAP_BASE="dc=immae,dc=eu" |
13 | GITOLITE_SHELL=$(which gitolite-shell) | ||
14 | ECHO=$(which echo) | ||
15 | 9 | ||
16 | suitable_for() { | 10 | suitable_for() { |
17 | type_for="$1" | 11 | type_for="$1" |
@@ -52,101 +46,7 @@ ldap_search() { | |||
52 | 46 | ||
53 | ldap_keys() { | 47 | ldap_keys() { |
54 | user=$1; | 48 | user=$1; |
55 | if [[ $user == gitolite ]]; then | 49 | @snippets@ |
56 | ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ | ||
57 | while read line ; | ||
58 | do | ||
59 | if [ ! -z "$line" ]; then | ||
60 | if [[ $line == dn* ]]; then | ||
61 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
62 | if [ -n "$user" ]; then | ||
63 | if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then | ||
64 | # Capitalize first letter (backward compatibility) | ||
65 | user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") | ||
66 | fi | ||
67 | else | ||
68 | # Service fake user | ||
69 | user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") | ||
70 | fi | ||
71 | elif [[ $line == $KEY* ]]; then | ||
72 | key=$(clean_key_line git "$line") | ||
73 | if [ ! -z "$key" ]; then | ||
74 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
75 | echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' | ||
76 | echo $key | ||
77 | fi | ||
78 | fi | ||
79 | fi | ||
80 | fi | ||
81 | done | ||
82 | exit 0 | ||
83 | elif [[ $user == pub ]]; then | ||
84 | ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ | ||
85 | while read line ; | ||
86 | do | ||
87 | if [ ! -z "$line" ]; then | ||
88 | if [[ $line == dn* ]]; then | ||
89 | echo "" | ||
90 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
91 | echo "# $user" | ||
92 | elif [[ $line == $KEY* ]]; then | ||
93 | key=$(clean_key_line pub "$line") | ||
94 | key_forward=$(clean_key_line forward "$line") | ||
95 | if [ ! -z "$key" ]; then | ||
96 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
97 | echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" ' | ||
98 | echo $key | ||
99 | fi | ||
100 | elif [ ! -z "$key_forward" ]; then | ||
101 | if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then | ||
102 | echo "# forward only" | ||
103 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | ||
104 | echo $key_forward | ||
105 | fi | ||
106 | fi | ||
107 | fi | ||
108 | fi | ||
109 | done | ||
110 | |||
111 | echo "" | ||
112 | ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ | ||
113 | while read line ; | ||
114 | do | ||
115 | if [ ! -z "$line" ]; then | ||
116 | if [[ $line == dn* ]]; then | ||
117 | echo "" | ||
118 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
119 | echo "# $user" | ||
120 | elif [[ $line == $KEY* ]]; then | ||
121 | key=$(clean_key_line forward "$line") | ||
122 | if [ ! -z "$key" ]; then | ||
123 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
124 | echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' | ||
125 | echo $key | ||
126 | fi | ||
127 | fi | ||
128 | fi | ||
129 | fi | ||
130 | done | ||
131 | exit 0 | ||
132 | else | ||
133 | ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ | ||
134 | while read line ; | ||
135 | do | ||
136 | if [ ! -z "$line" ]; then | ||
137 | if [[ $line == dn* ]]; then | ||
138 | user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") | ||
139 | elif [[ $line == $KEY* ]]; then | ||
140 | key=$(clean_key_line ssh "$line") | ||
141 | if [ ! -z "$key" ]; then | ||
142 | if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then | ||
143 | echo $key | ||
144 | fi | ||
145 | fi | ||
146 | fi | ||
147 | fi | ||
148 | done | ||
149 | fi | ||
150 | } | 50 | } |
151 | 51 | ||
152 | ldap_keys $@ | 52 | ldap_keys $@ |