1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
### This snippet is not standalone and must be integrated in the global ldap_authorized_keys.sh
LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
ECHO=$(which echo)
if [[ $user == pub ]]; then
ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
while read line ;
do
if [ ! -z "$line" ]; then
if [[ $line == dn* ]]; then
echo ""
user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
echo "# $user"
elif [[ $line == $KEY* ]]; then
key=$(clean_key_line pub "$line")
key_forward=$(clean_key_line forward "$line")
if [ ! -z "$key" ]; then
if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
echo $key
fi
elif [ ! -z "$key_forward" ]; then
if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
echo "# forward only"
echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
echo $key_forward
fi
fi
fi
fi
done
echo ""
ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
while read line ;
do
if [ ! -z "$line" ]; then
if [[ $line == dn* ]]; then
echo ""
user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
echo "# $user"
elif [[ $line == $KEY* ]]; then
key=$(clean_key_line forward "$line")
if [ ! -z "$key" ]; then
if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
echo $key
fi
fi
fi
fi
done
exit 0
fi
|