From: nicoo Date: Wed, 16 May 2018 21:02:17 +0000 (+0200) Subject: tuer: Add AuthorizedKeys script for tuerctl X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=a7b16357c0999e0a863ee80abde6af5f34f3a16d;p=noc.git tuer: Add AuthorizedKeys script for tuerctl --- diff --git a/ansible/.gitignore b/ansible/.gitignore index d5e5f4b..f525999 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -4,4 +4,4 @@ *.retry .*.sw? /.cache/ -/files/ +/files/openwrt/ diff --git a/ansible/files/tuer/authorized_keys.sh b/ansible/files/tuer/authorized_keys.sh new file mode 100755 index 0000000..359f9d6 --- /dev/null +++ b/ansible/files/tuer/authorized_keys.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# Copyright © 2018 nicoo +# Distributed under the WTFPL v2 +# +# DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE +# Version 2, December 2004 +# +# Copyright (C) 2004 Sam Hocevar +# +# Everyone is permitted to copy and distribute verbatim or modified +# copies of this license document, and changing it is allowed as long +# as the name is changed. +# +# DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE +# TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION +# +# 0. You just DO WHAT THE FUCK YOU WANT TO. + +# This script processes the tuergit repository located at KEYS_DIR +# and outputs authorized_keys data for sshd. +# It is meant to be used as an AuthorizedKeysCommand + +set -e + +KEYS_DIR=${KEYS_DIR:-'/var/tuer/keys.git'} +KEYS_OPTIONS='no-port-forwarding' + +cd "${KEYS_DIR}" +if git config hooks.keys_branch 2>/dev/null; then + KEYS_BRANCH="$(git config hooks.keys_branch)" +else + KEYS_BRANCH="master" +fi + +git show "${KEYS_BRANCH}:ssh/" | + while read user; do + [ -n "$user" ] || continue + git show "${KEYS_BRANCH}:ssh/${user}" | + while read key; do + echo "command=\"${user}\",${KEYS_OPTIONS}" "${key}" + done + done diff --git a/ansible/tuer.yml b/ansible/tuer.yml index e061759..0d90890 100644 --- a/ansible/tuer.yml +++ b/ansible/tuer.yml @@ -78,6 +78,10 @@ mode: 0755 file: "{{ playbook_dir }}/.cache/openwrt/tuer/door_and_sensors/update-keys/update-keys" + /usr/local/bin/authorized_keys.sh: + mode: 0755 + file: "{{ playbook_dir }}/files/tuer/authorized_keys.sh" + /etc/ssh/sshd_config: content: |- Port 22000 @@ -91,6 +95,12 @@ X11Forwarding no UsePrivilegeSeparation sandbox + Match User tuerctl + AuthorizedKeysFile /dev/null + AuthorizedKeysCommand /usr/local/bin/authorized_keys.sh + AuthorizedKeysCommandUser tuergit + + /etc/ssh/authorized_keys.d/root: content: |- {% for key in noc_ssh_keys %}