From 0503b1f07e839e2da7c2b26139eafeaee627a4a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 26 Nov 2023 00:00:56 +0100 Subject: Migrate FTP access ssh keys --- deploy/flake.lock | 4 ++-- flake.lock | 4 ++-- flakes/flake.lock | 2 +- systems/eldiron/ftp_sync.sh | 48 +++++++++++++-------------------------------- 4 files changed, 19 insertions(+), 39 deletions(-) diff --git a/deploy/flake.lock b/deploy/flake.lock index cda3008..f2517ef 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock @@ -2783,7 +2783,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=", + "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=", "path": "../flakes", "type": "path" }, @@ -3903,7 +3903,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=", + "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=", "path": "../systems/eldiron", "type": "path" }, diff --git a/flake.lock b/flake.lock index d1f5a88..47a4bd6 100644 --- a/flake.lock +++ b/flake.lock @@ -2664,7 +2664,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-uN1hah0fHMQoPHlU2DaCZSe6VEgbTbte//c7rLSwYQM=", + "narHash": "sha256-ICKEuT8YaVKsXgdau986YYMhcH+DfeOyD3XQBKUTMOM=", "path": "./flakes", "type": "path" }, @@ -3919,7 +3919,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=", + "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=", "path": "../systems/eldiron", "type": "path" }, diff --git a/flakes/flake.lock b/flakes/flake.lock index 64c9100..6dcee3d 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock @@ -3824,7 +3824,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-k4JkkQECOTq1uxe8nZe0Wmj+DfzX1KKF7lvDkEMK6vQ=", + "narHash": "sha256-PRhCKLyFpkmjr/RviVw7h3ZBWVHGmlwH1+z9gWIdXsI=", "path": "../systems/eldiron", "type": "path" }, diff --git a/systems/eldiron/ftp_sync.sh b/systems/eldiron/ftp_sync.sh index aff7178..6760aab 100755 --- a/systems/eldiron/ftp_sync.sh +++ b/systems/eldiron/ftp_sync.sh @@ -7,41 +7,21 @@ LDAP_PASS=$(cat /etc/ssh/ldap_password) LDAP_HOST="ldap://ldap.immae.eu" LDAP_BASE="dc=immae,dc=eu" LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)" +USER_LDAP_BASE="ou=users,dc=immae,dc=eu" -handle_keys() { - uids="$1" - keys="$2" - if [ -n "$uids" ]; then - for uid in $uids; do - echo "$keys" | while read key; do - if [ -n "$key" ]; then - ssh-keygen -e -f <(echo "$key") - fi - done > /var/lib/proftpd/authorized_keys/$uid - done - fi -} +PSQL_BASE="immae" +PSQL_HOST="localhost" +PSQL_USER="immae_auth_read" +PSQL_PASS=$(cat /etc/ssh/psql_password) mkdir -p /var/lib/proftpd/authorized_keys -while read i; do - if [[ "$i" =~ ^dn: ]]; then - handle_keys "$uids" "$keys" - uids="" - keys="" - fi; - if [[ "$i" =~ ^uid: ]]; then - uids="$uids ${i#uid: }" - fi - if [[ "$i" =~ ^immaeSshKey: ]]; then - key="${i#immaeSshKey: }" - if [[ "$key" =~ ^ssh- ]]; then - keys="$keys -$key" - elif echo "$key" | cut -d" " -f1 | grep -q "\bftp\b"; then - keys="$keys -$(echo "$key" | cut -d" " -f2-)" - fi - fi -done < <(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" uid immaeSshKey) -handle_keys "$uids" "$keys" +allowed_logins=$(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" '' \ + | grep "^dn.*$USER_LDAP_BASE$" \ + | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \ + | paste -sd,) + +PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'ftp' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do + touch /var/lib/proftpd/authorized_keys/$user + ssh-keygen -e -f <(echo "$key") >> /var/lib/proftpd/authorized_keys/$user +done -- cgit v1.2.3