Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/173066
Change subject: Allow sshd to pull ssh keys from ldap on Trusty.
......................................................................
Allow sshd to pull ssh keys from ldap on Trusty.
This has three parts:
modules/ldap/files/scripts/ldapkeys: A simple ldap query tool
(based off of ldaplist) which takes a username and looks up
that user's public ssh keys in ldap, using the ldap config
in ldap.conf.
modules/ldap/manifests/client.pp: Installs the ldapkeys script
where appropriate, along with a service user also named ldapkeys
which ssh will use to invoke the script.
modules/ssh/templates/sshd_config.erb: Specifies use of the
ldapkeys tool and the ldapkeys user for ssh attempts.
Change-Id: I622d4807012a1fc935d6bc197adc266fb4cb21df
---
A modules/ldap/files/scripts/ldapkeys
M modules/ldap/manifests/client.pp
M modules/ssh/templates/sshd_config.erb
3 files changed, 116 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/66/173066/1
diff --git a/modules/ldap/files/scripts/ldapkeys
b/modules/ldap/files/scripts/ldapkeys
new file mode 100755
index 0000000..ece8b87
--- /dev/null
+++ b/modules/ldap/files/scripts/ldapkeys
@@ -0,0 +1,94 @@
+#!/usr/bin/python
+
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+### puppet:///modules/ldap/scripts/ldaplist
+#####################################################################
+
+import ldapsupportlib
+from optparse import OptionParser
+import re
+from signal import signal, SIGPIPE, SIG_DFL
+import sys
+import traceback
+
+try:
+ import ldap
+except ImportError:
+ sys.stderr.write("Unable to import LDAP library.\n")
+ sys.exit(1)
+
+# Avoid "IOError: [Errno 32] Broken pipe" when piping to head & Co.
+signal(SIGPIPE, SIG_DFL)
+
+def main():
+ "Print ssh keys for a given ldap user. Mostly cribbed from 'ldaplist'"
+
+ parser = OptionParser(conflict_handler="resolve")
+ parser.set_usage("ldap-keys [options] <username>\n\nexample: ldaplist
andrew")
+
+ ldapSupportLib = ldapsupportlib.LDAPSupportLib()
+ ldapSupportLib.addParserOptions(parser)
+
+ (options, args) = parser.parse_args()
+
+ ldapSupportLib.setBindInfoByOptions(options, parser)
+
+ base = "ou=people," + ldapSupportLib.getBase()
+
+ if (len(args) != 1):
+ print parser.usage
+ exit(1)
+
+ ds = ldapSupportLib.connect()
+
+ # w00t We're in!
+ try:
+ PosixData = ds.search_s(base, ldap.SCOPE_SUBTREE,
+ "(uid="+ args[0] + ")")
+
+ except ldap.NO_SUCH_OBJECT:
+ sys.stderr.write("Object not found. If you are trying to use * in your
search, make sure that you wrap your string in single quotes to avoid shell
expansion.\n")
+ ds.unbind()
+ sys.exit(1)
+ except ldap.PROTOCOL_ERROR:
+ sys.stderr.write("The search returned a protocol error, this shouldn't
ever happen, please submit a trouble ticket.\n")
+ ds.unbind()
+ sys.exit(1)
+ except Exception:
+ sys.stderr.write("The search returned an error.\n")
+ ds.unbind()
+ sys.exit(1)
+
+ PosixData.sort()
+
+ # PosixData is a list of lists where:
+ # index 0 of PosixData[N]: contains the distinquished name
+ # index 1 of PosixData[N]: contains a dictionary of lists hashed by the
following keys:
+ # telephoneNumber, departmentNumber, uid, objectClass,
loginShell,
+ # uidNumber, gidNumber, sn, homeDirectory, givenName, cn
+
+ for i in range(len(PosixData)):
+ for (k, v) in PosixData[i][1].items():
+ if ( k != "sshPublicKey" ):
+ continue
+ for v2 in v:
+ print v2
+
+ ds.unbind()
+
+def showdatabase(objectbasedns, args):
+ print ""
+ if len(args) < 1:
+ print objectbasedns["base"]
+ else:
+ if args[0].find('auto_') != -1:
+ objectbasedns["auto_*"] =
objectbasedns["auto_*"].replace("auto_AUTO", args[0])
+ args[0] = "auto_*"
+ if args[0] in objectbasedns:
+ print objectbasedns[args[0]]
+ else:
+ print "Database " + args[0] + " not found, use ldaplist -h to list
database types."
+
+if __name__ == "__main__":
+ main()
diff --git a/modules/ldap/manifests/client.pp b/modules/ldap/manifests/client.pp
index 900d813..ab320de 100644
--- a/modules/ldap/manifests/client.pp
+++ b/modules/ldap/manifests/client.pp
@@ -171,6 +171,24 @@
source => 'puppet:///modules/ldap/scripts/ldaplist',
}
+ if $::realm == 'labs' {
+ if ubuntu_version('>= trusty') {
+ # The 'ldapkeys' tool is called during login ssh via
AuthorizedKeysCommand. It
+ # returns public keys from ldap for the specified username.
+ file { '/usr/local/bin/ldapkeys':
+ owner => 'ldapkeys',
+ group => 'ldapkeys',
+ mode => '0555',
+ source => 'puppet:///modules/ldap/scripts/ldapkeys',
+ }
+ # For security purposes, sshd will only run ldapkeys as the
'ldapkeys' user.
+ user { 'ldapkeys':
+ ensure => present,
+ system => true,
+ }
+ }
+ }
+
file { '/usr/local/sbin/change-ldap-passwd':
owner => 'root',
group => 'root',
diff --git a/modules/ssh/templates/sshd_config.erb
b/modules/ssh/templates/sshd_config.erb
index 76580ab..0cca870 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -96,6 +96,10 @@
<% if @realm == "labs" then %>
Banner /etc/ssh/sshd_banner
+<% if @lsbdistcodename == 'trusty'%>
+AuthorizedKeysCommand /usr/local/sbin/ldapkeys
+AuthorizedKeysCommandUser ldapkeys
+<% end %>
<% end %>
<% if has_variable?("ssh_restrict_network") then %>
--
To view, visit https://gerrit.wikimedia.org/r/173066
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I622d4807012a1fc935d6bc197adc266fb4cb21df
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
