summaryrefslogtreecommitdiffstats
path: root/scripts/sh/ssh-keygrep
blob: 42ffd6d3b9cbd92c59c490e32a6f8e2af64b5eb1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/bin/sh
# Alternative to `sss_ssh_authorizedkeys` which does not behave weirdly
#
# For use with sshd, you may utilize the following example lines in sshd_config:
# AuthorizedKeysCommand      /usr/bin/sh -c '/usr/local/bin/ssh-keygrep %u'
# AuthorizedKeysCommandUser  nobody
#
# Georg Pfuetzenreuter <georg@lysergic.dev>
# Created and last modified: 26/04/2022

uid="$1"

log="/var/log/ssh-keygrep.log"
uri="ldaps://ldap.example.com"
base="uid=$uid,ou=users,dc=example,dc=com"
attribute="sshPublicKey"

# -x ---> anonymous bind
# -D 'cn=foo,ou=users,dc=example,dc=com' -y '/path/to/passfile' ---> bind as user
auth_args="-x"
# any additional ldapsearch arguments
extra_args=""

binary_ldapsearch="/usr/bin/ldapsearch"
binary_perl="/usr/bin/perl"

if [ -z "$uid" ];
then
        echo "Specify a uid."
fi

fetch () {
        $binary_ldapsearch -LLL -H $uri $auth_args $extra_args -b $base $attribute
}

parse () {
        $binary_perl -p00e 's/\r?\n //g;' -pe 's/sshPublicKey: //g;' -pe 's/\A(^.*$\r?\n){1}//'
}

key="`fetch | parse`"

printf "Key queried by $USER for $uid at `date`, " >> $log
if [ -z "$key" ];
then
        echo "no result :-(" >> $log
        exit 1
fi
if [ -n  "$key" ];
then
        echo "result: $key" >> $log
        echo "$key"
        exit 0
fi