From 0503b1f07e839e2da7c2b26139eafeaee627a4a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 26 Nov 2023 00:00:56 +0100 Subject: Migrate FTP access ssh keys --- systems/eldiron/ftp_sync.sh | 48 +++++++++++++-------------------------------- 1 file changed, 14 insertions(+), 34 deletions(-) (limited to 'systems/eldiron') diff --git a/systems/eldiron/ftp_sync.sh b/systems/eldiron/ftp_sync.sh index aff7178..6760aab 100755 --- a/systems/eldiron/ftp_sync.sh +++ b/systems/eldiron/ftp_sync.sh @@ -7,41 +7,21 @@ LDAP_PASS=$(cat /etc/ssh/ldap_password) LDAP_HOST="ldap://ldap.immae.eu" LDAP_BASE="dc=immae,dc=eu" LDAP_FILTER="(memberOf=cn=users,cn=ftp,ou=services,dc=immae,dc=eu)" +USER_LDAP_BASE="ou=users,dc=immae,dc=eu" -handle_keys() { - uids="$1" - keys="$2" - if [ -n "$uids" ]; then - for uid in $uids; do - echo "$keys" | while read key; do - if [ -n "$key" ]; then - ssh-keygen -e -f <(echo "$key") - fi - done > /var/lib/proftpd/authorized_keys/$uid - done - fi -} +PSQL_BASE="immae" +PSQL_HOST="localhost" +PSQL_USER="immae_auth_read" +PSQL_PASS=$(cat /etc/ssh/psql_password) mkdir -p /var/lib/proftpd/authorized_keys -while read i; do - if [[ "$i" =~ ^dn: ]]; then - handle_keys "$uids" "$keys" - uids="" - keys="" - fi; - if [[ "$i" =~ ^uid: ]]; then - uids="$uids ${i#uid: }" - fi - if [[ "$i" =~ ^immaeSshKey: ]]; then - key="${i#immaeSshKey: }" - if [[ "$key" =~ ^ssh- ]]; then - keys="$keys -$key" - elif echo "$key" | cut -d" " -f1 | grep -q "\bftp\b"; then - keys="$keys -$(echo "$key" | cut -d" " -f2-)" - fi - fi -done < <(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" uid immaeSshKey) -handle_keys "$uids" "$keys" +allowed_logins=$(ldapsearch -H "$LDAP_HOST" -ZZ -LLL -D "$LDAP_BIND" -w "$LDAP_PASS" -b "$LDAP_BASE" -x -o ldif-wrap=no "$LDAP_FILTER" '' \ + | grep "^dn.*$USER_LDAP_BASE$" \ + | sed -e "s/^dn: uid=\([^,]*\),.*$USER_LDAP_BASE$/'\1'/" \ + | paste -sd,) + +PGPASSWORD="$PSQL_PASS" psql -U "$PSQL_USER" -h "$PSQL_HOST" -X -A -t -d "$PSQL_BASE" -c "SELECT login, key FROM ldap_users_ssh_keys WHERE realm = 'immae' AND 'ftp' = ANY(usage) AND login IN ($allowed_logins);" | while IFS='|' read user key; do + touch /var/lib/proftpd/authorized_keys/$user + ssh-keygen -e -f <(echo "$key") >> /var/lib/proftpd/authorized_keys/$user +done -- cgit v1.2.3