From 30ebadc915d078797b31efa21e252b66ec0c35ce Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Tue, 26 Apr 2022 21:54:56 +0200 Subject: Init ssh-keygrep Signed-off-by: Georg Pfuetzenreuter --- scripts/sh/ssh-keygrep | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100755 scripts/sh/ssh-keygrep (limited to 'scripts/sh/ssh-keygrep') diff --git a/scripts/sh/ssh-keygrep b/scripts/sh/ssh-keygrep new file mode 100755 index 0000000..42ffd6d --- /dev/null +++ b/scripts/sh/ssh-keygrep @@ -0,0 +1,54 @@ +#!/bin/sh +# Alternative to `sss_ssh_authorizedkeys` which does not behave weirdly +# +# For use with sshd, you may utilize the following example lines in sshd_config: +# AuthorizedKeysCommand /usr/bin/sh -c '/usr/local/bin/ssh-keygrep %u' +# AuthorizedKeysCommandUser nobody +# +# Georg Pfuetzenreuter +# Created and last modified: 26/04/2022 + +uid="$1" + +log="/var/log/ssh-keygrep.log" +uri="ldaps://ldap.example.com" +base="uid=$uid,ou=users,dc=example,dc=com" +attribute="sshPublicKey" + +# -x ---> anonymous bind +# -D 'cn=foo,ou=users,dc=example,dc=com' -y '/path/to/passfile' ---> bind as user +auth_args="-x" +# any additional ldapsearch arguments +extra_args="" + +binary_ldapsearch="/usr/bin/ldapsearch" +binary_perl="/usr/bin/perl" + +if [ -z "$uid" ]; +then + echo "Specify a uid." +fi + +fetch () { + $binary_ldapsearch -LLL -H $uri $auth_args $extra_args -b $base $attribute +} + +parse () { + $binary_perl -p00e 's/\r?\n //g;' -pe 's/sshPublicKey: //g;' -pe 's/\A(^.*$\r?\n){1}//' +} + +key="`fetch | parse`" + +printf "Key queried by $USER for $uid at `date`, " >> $log +if [ -z "$key" ]; +then + echo "no result :-(" >> $log + exit 1 +fi +if [ -n "$key" ]; +then + echo "result: $key" >> $log + echo "$key" + exit 0 +fi + -- cgit v1.2.3