1 files changed, 38 insertions, 0 deletions
diff --git a/systems/eldiron/pub/ldap_pub.sh b/systems/eldiron/pub/ldap_pub.sh
new file mode 100644
index 0000000..9f03ffe
--- /dev/null
+++ b/systems/eldiron/pub/ldap_pub.sh
@@ -0,0 +1,38 @@
+### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
+LDAP_PUB_RESTRICT_MEMBER="@pub_ldap_pub_group@"
+LDAP_PUB_FORWARD_MEMBER="@pub_ldap_forward_group@"
+ECHO="@pub_echo_command@"
+if [[ $user == pub ]]; then
+  allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \
+    ldap_search '(memberOf='$LDAP_PUB_RESTRICT_MEMBER')' '' \
+      | grep ^dn \
+      | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
+      | paste -sd,)
+  allowed_forwards=$(LDAP_BASE=$USER_LDAP_BASE \
+    ldap_search '(memberOf='$LDAP_PUB_FORWARD_MEMBER')' '' \
+      | grep ^dn \
+      | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \
+      | paste -sd,)
+  psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'pub' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do
+    if [ ! -z "$key" ]; then
+      if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+        echo -n 'command="@pub_restrict_command@ '$user'" '
+        echo $key
+      fi
+    fi
+  done
+  psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'forward' = ANY(usage) AND login IN ($allowed_logins,$allowed_forwards);" | while IFS='|' read user key; do
+    if [ ! -z "$key" ]; then
+      if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+        echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+        echo $key
+      fi
+    fi
+  done
+  exit 0
+fi

diff --git a/systems/eldiron/pub/ldap_pub.sh b/systems/eldiron/pub/ldap_pub.sh new file mode 100644 index 0000000..9f03ffe --- /dev/null +++ b/systems/eldiron/pub/ldap_pub.sh
@@ -0,0 +1,38 @@
	1	### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
	2	LDAP_PUB_RESTRICT_MEMBER="@pub_ldap_pub_group@"
	3	LDAP_PUB_FORWARD_MEMBER="@pub_ldap_forward_group@"
	4	ECHO="@pub_echo_command@"
	5
	6	if [[ $user == pub ]]; then
	7	allowed_logins=$(LDAP_BASE=$USER_LDAP_BASE \
	8	ldap_search '(memberOf='$LDAP_PUB_RESTRICT_MEMBER')' '' \
	9	\| grep ^dn \
	10	\| sed -e "s/^dn: uid=\([^,]\),.$USER_LDAP_BASE$/'\1'/" \
	11	\| paste -sd,)
	12
	13	allowed_forwards=$(LDAP_BASE=$USER_LDAP_BASE \
	14	ldap_search '(memberOf='$LDAP_PUB_FORWARD_MEMBER')' '' \
	15	\| grep ^dn \
	16	\| sed -e "s/^dn: uid=\([^,]\),.$USER_LDAP_BASE$/'\1'/" \
	17	\| paste -sd,)
	18
	19	psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'pub' = ANY(usage) AND login IN ($allowed_logins);" \| while IFS='\|' read user key; do
	20	if [ ! -z "$key" ]; then
	21	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	22	echo -n 'command="@pub_restrict_command@ '$user'" '
	23	echo $key
	24	fi
	25	fi
	26	done
	27
	28	psql_search "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'forward' = ANY(usage) AND login IN ($allowed_logins,$allowed_forwards);" \| while IFS='\|' read user key; do
	29	if [ ! -z "$key" ]; then
	30	if [[ $key != $'\n' ]] && [[ $key == ssh-* ]]; then
	31	echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
	32	echo $key
	33	fi
	34	fi
	35	done
	36	exit 0
	37	fi
	38