From 30ebadc915d078797b31efa21e252b66ec0c35ce Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Tue, 26 Apr 2022 21:54:56 +0200
Subject: Init ssh-keygrep

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 scripts/sh/ssh-keygrep | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100755 scripts/sh/ssh-keygrep

(limited to 'scripts/sh')

diff --git a/scripts/sh/ssh-keygrep b/scripts/sh/ssh-keygrep
new file mode 100755
index 0000000..42ffd6d
--- /dev/null
+++ b/scripts/sh/ssh-keygrep
@@ -0,0 +1,54 @@
+#!/bin/sh
+# Alternative to `sss_ssh_authorizedkeys` which does not behave weirdly
+#
+# For use with sshd, you may utilize the following example lines in sshd_config:
+# AuthorizedKeysCommand      /usr/bin/sh -c '/usr/local/bin/ssh-keygrep %u'
+# AuthorizedKeysCommandUser  nobody
+#
+# Georg Pfuetzenreuter <georg@lysergic.dev>
+# Created and last modified: 26/04/2022
+
+uid="$1"
+
+log="/var/log/ssh-keygrep.log"
+uri="ldaps://ldap.example.com"
+base="uid=$uid,ou=users,dc=example,dc=com"
+attribute="sshPublicKey"
+
+# -x ---> anonymous bind
+# -D 'cn=foo,ou=users,dc=example,dc=com' -y '/path/to/passfile' ---> bind as user
+auth_args="-x"
+# any additional ldapsearch arguments
+extra_args=""
+
+binary_ldapsearch="/usr/bin/ldapsearch"
+binary_perl="/usr/bin/perl"
+
+if [ -z "$uid" ];
+then
+        echo "Specify a uid."
+fi
+
+fetch () {
+        $binary_ldapsearch -LLL -H $uri $auth_args $extra_args -b $base $attribute
+}
+
+parse () {
+        $binary_perl -p00e 's/\r?\n //g;' -pe 's/sshPublicKey: //g;' -pe 's/\A(^.*$\r?\n){1}//'
+}
+
+key="`fetch | parse`"
+
+printf "Key queried by $USER for $uid at `date`, " >> $log
+if [ -z "$key" ];
+then
+        echo "no result :-(" >> $log
+        exit 1
+fi
+if [ -n  "$key" ];
+then
+        echo "result: $key" >> $log
+        echo "$key"
+        exit 0
+fi
+
-- 
cgit v1.2.3