From 7e6f1fb434797b4ffaf7eefa4a69825ce884fd20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 3 Apr 2019 10:21:20 +0200 Subject: Move ssh to its own module --- nixops/eldiron.nix | 33 +------ nixops/ldap_authorized_keys.sh | 150 ----------------------------- nixops/modules/ssh/default.nix | 30 ++++++ nixops/modules/ssh/ldap_authorized_keys.sh | 150 +++++++++++++++++++++++++++++ 4 files changed, 182 insertions(+), 181 deletions(-) delete mode 100755 nixops/ldap_authorized_keys.sh create mode 100644 nixops/modules/ssh/default.nix create mode 100755 nixops/modules/ssh/ldap_authorized_keys.sh diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 752ef0a..9d32bb3 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix @@ -6,7 +6,6 @@ }; eldiron = { config, pkgs, mylibs, myconfig, ... }: - with mylibs; { _module.args = { pkgsNext = import {}; @@ -25,6 +24,7 @@ }; imports = [ + ./modules/ssh ./modules/certificates.nix ./modules/gitolite ./modules/databases @@ -52,12 +52,7 @@ MaxLevelStore="warning" MaxRetentionSec="1year" ''; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 22 ]; - }; - }; + networking.firewall.enable = true; deployment = { targetEnv = "hetzner"; @@ -85,30 +80,6 @@ pkgs.vim ]; - services.openssh.extraConfig = '' - AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys - AuthorizedKeysCommandUser nobody - ''; - - environment.etc."ssh/ldap_authorized_keys" = let - ldap_authorized_keys = - wrap { - name = "ldap_authorized_keys"; - file = ./ldap_authorized_keys.sh; - vars = { - LDAP_PASS = myconfig.env.sshd.ldap.password; - GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; - ECHO = "${pkgs.coreutils}/bin/echo"; - }; - paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; - }; - in { - enable = true; - mode = "0755"; - user = "root"; - source = ldap_authorized_keys; - }; - services.cron = { enable = true; systemCronJobs = [ diff --git a/nixops/ldap_authorized_keys.sh b/nixops/ldap_authorized_keys.sh deleted file mode 100755 index d869d74..0000000 --- a/nixops/ldap_authorized_keys.sh +++ /dev/null @@ -1,150 +0,0 @@ -#!/usr/bin/env bash - -LDAPSEARCH=ldapsearch -KEY="immaeSshKey" -LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" -#LDAP_PASS="password taken from environment" -LDAP_HOST="ldap.immae.eu" -LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" -LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" -LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" -LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" -LDAP_BASE="dc=immae,dc=eu" - -suitable_for() { - type_for="$1" - key="$2" - - if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then - echo "$key" - else - key_type=$(cut -d " " -f 1 <<< "$key") - - if grep -q "\b-$type_for\b" <<< "$key_type"; then - echo "" - elif grep -q "\b$type_for\b" <<< "$key_type"; then - echo $(sed -e "s/^[^ ]* //g" <<< "$key") - else - echo "" - fi - fi -} - -clean_key_line() { - type_for="$1" - line="$2" - - if [[ "$line" == $KEY::* ]]; then - # base64 keys should't happen, unless wrong copy-pasting - key="" - else - key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") - fi - - suitable_for "$type_for" "$key" -} - -ldap_search() { - $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" -} - -ldap_keys() { - user=$1; - if [[ $user == gitolite ]]; then - ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ - while read line ; - do - if [ ! -z "$line" ]; then - if [[ $line == dn* ]]; then - user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") - if [ -n "$user" ]; then - if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then - # Capitalize first letter (backward compatibility) - user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") - fi - else - # Service fake user - user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") - fi - elif [[ $line == $KEY* ]]; then - key=$(clean_key_line git "$line") - if [ ! -z "$key" ]; then - if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then - echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' - echo $key - fi - fi - fi - fi - done - exit 0 - elif [[ $user == pub ]]; then - ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ - while read line ; - do - if [ ! -z "$line" ]; then - if [[ $line == dn* ]]; then - echo "" - user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") - echo "# $user" - elif [[ $line == $KEY* ]]; then - key=$(clean_key_line pub "$line") - key_forward=$(clean_key_line forward "$line") - if [ ! -z "$key" ]; then - if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then - echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" ' - echo $key - fi - elif [ ! -z "$key_forward" ]; then - if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then - echo "# forward only" - echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' - echo $key_forward - fi - fi - fi - fi - done - - echo "" - ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ - while read line ; - do - if [ ! -z "$line" ]; then - if [[ $line == dn* ]]; then - echo "" - user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") - echo "# $user" - elif [[ $line == $KEY* ]]; then - key=$(clean_key_line forward "$line") - if [ ! -z "$key" ]; then - if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then - echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' - echo $key - fi - fi - fi - fi - done - exit 0 - else - ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ - while read line ; - do - if [ ! -z "$line" ]; then - if [[ $line == dn* ]]; then - user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") - elif [[ $line == $KEY* ]]; then - key=$(clean_key_line ssh "$line") - if [ ! -z "$key" ]; then - if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then - echo $key - fi - fi - fi - fi - done - fi -} - -ldap_keys $@ diff --git a/nixops/modules/ssh/default.nix b/nixops/modules/ssh/default.nix new file mode 100644 index 0000000..b28f6ca --- /dev/null +++ b/nixops/modules/ssh/default.nix @@ -0,0 +1,30 @@ +{ lib, pkgs, config, mylibs, myconfig, ... }: +{ + config = { + networking.firewall.allowedTCPPorts = [ 22 ]; + + services.openssh.extraConfig = '' + AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys + AuthorizedKeysCommandUser nobody + ''; + + environment.etc."ssh/ldap_authorized_keys" = let + ldap_authorized_keys = + mylibs.wrap { + name = "ldap_authorized_keys"; + file = ./ldap_authorized_keys.sh; + vars = { + LDAP_PASS = myconfig.env.sshd.ldap.password; + GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; + ECHO = "${pkgs.coreutils}/bin/echo"; + }; + paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; + }; + in { + enable = true; + mode = "0755"; + user = "root"; + source = ldap_authorized_keys; + }; + }; +} diff --git a/nixops/modules/ssh/ldap_authorized_keys.sh b/nixops/modules/ssh/ldap_authorized_keys.sh new file mode 100755 index 0000000..d869d74 --- /dev/null +++ b/nixops/modules/ssh/ldap_authorized_keys.sh @@ -0,0 +1,150 @@ +#!/usr/bin/env bash + +LDAPSEARCH=ldapsearch +KEY="immaeSshKey" +LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu" +#LDAP_PASS="password taken from environment" +LDAP_HOST="ldap.immae.eu" +LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu" +LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu" +LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu" +LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu" +LDAP_BASE="dc=immae,dc=eu" + +suitable_for() { + type_for="$1" + key="$2" + + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo "$key" + else + key_type=$(cut -d " " -f 1 <<< "$key") + + if grep -q "\b-$type_for\b" <<< "$key_type"; then + echo "" + elif grep -q "\b$type_for\b" <<< "$key_type"; then + echo $(sed -e "s/^[^ ]* //g" <<< "$key") + else + echo "" + fi + fi +} + +clean_key_line() { + type_for="$1" + line="$2" + + if [[ "$line" == $KEY::* ]]; then + # base64 keys should't happen, unless wrong copy-pasting + key="" + else + key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line") + fi + + suitable_for "$type_for" "$key" +} + +ldap_search() { + $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@" +} + +ldap_keys() { + user=$1; + if [[ $user == gitolite ]]; then + ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + if [ -n "$user" ]; then + if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then + # Capitalize first letter (backward compatibility) + user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user") + fi + else + # Service fake user + user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line") + fi + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line git "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' + echo $key + fi + fi + fi + fi + done + exit 0 + elif [[ $user == pub ]]; then + ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + echo "" + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + echo "# $user" + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line pub "$line") + key_forward=$(clean_key_line forward "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" ' + echo $key + fi + elif [ ! -z "$key_forward" ]; then + if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then + echo "# forward only" + echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' + echo $key_forward + fi + fi + fi + fi + done + + echo "" + ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + echo "" + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + echo "# $user" + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line forward "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" ' + echo $key + fi + fi + fi + fi + done + exit 0 + else + ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \ + while read line ; + do + if [ ! -z "$line" ]; then + if [[ $line == dn* ]]; then + user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line") + elif [[ $line == $KEY* ]]; then + key=$(clean_key_line ssh "$line") + if [ ! -z "$key" ]; then + if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then + echo $key + fi + fi + fi + fi + done + fi +} + +ldap_keys $@ -- cgit v1.2.3