55 lines
1.2 KiB
Plaintext
55 lines
1.2 KiB
Plaintext
|
#!/bin/sh
|
||
|
|
# Alternative to `sss_ssh_authorizedkeys` which does not behave weirdly
|
||
|
|
#
|
||
|
|
# For use with sshd, you may utilize the following example lines in sshd_config:
|
||
|
|
# AuthorizedKeysCommand /usr/bin/sh -c '/usr/local/bin/ssh-keygrep %u'
|
||
|
|
# AuthorizedKeysCommandUser nobody
|
||
|
|
#
|
||
|
|
# Georg Pfuetzenreuter <georg@lysergic.dev>
|
||
|
|
# Created and last modified: 26/04/2022
|
||
|
|
|
||
|
|
uid="$1"
|
||
|
|
|
||
|
|
log="/var/log/ssh-keygrep.log"
|
||
|
|
uri="ldaps://ldap.example.com"
|
||
|
|
base="uid=$uid,ou=users,dc=example,dc=com"
|
||
|
|
attribute="sshPublicKey"
|
||
|
|
|
||
|
|
# -x ---> anonymous bind
|
||
|
|
# -D 'cn=foo,ou=users,dc=example,dc=com' -y '/path/to/passfile' ---> bind as user
|
||
|
|
auth_args="-x"
|
||
|
|
# any additional ldapsearch arguments
|
||
|
|
extra_args=""
|
||
|
|
|
||
|
|
binary_ldapsearch="/usr/bin/ldapsearch"
|
||
|
|
binary_perl="/usr/bin/perl"
|
||
|
|
|
||
|
|
if [ -z "$uid" ];
|
||
|
|
then
|
||
|
|
echo "Specify a uid."
|
||
|
|
fi
|
||
|
|
|
||
|
|
fetch () {
|
||
|
|
$binary_ldapsearch -LLL -H $uri $auth_args $extra_args -b $base $attribute
|
||
|
|
}
|
||
|
|
|
||
|
|
parse () {
|
||
|
|
$binary_perl -p00e 's/\r?\n //g;' -pe 's/sshPublicKey: //g;' -pe 's/\A(^.*$\r?\n){1}//'
|
||
|
|
}
|
||
|
|
|
||
|
|
key="`fetch | parse`"
|
||
|
|
|
||
|
|
printf "Key queried by $USER for $uid at `date`, " >> $log
|
||
|
|
if [ -z "$key" ];
|
||
|
|
then
|
||
|
|
echo "no result :-(" >> $log
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
if [ -n "$key" ];
|
||
|
|
then
|
||
|
|
echo "result: $key" >> $log
|
||
|
|
echo "$key"
|
||
|
|
exit 0
|
||
|
|
fi
|
||
|
|
|