From 78c9033e226278d473d79a6041b2eba6ce000874 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Tue, 2 Nov 2021 16:08:47 +0100 Subject: [PATCH] Finishing setting public ssh keys --- after-migration.sh | 185 +++++++++++++++++++++++++++++++++- ssh_keys/markus.haebe.pub | 2 +- ssh_keys/oliver.boettcher.pub | 2 +- 3 files changed, 186 insertions(+), 3 deletions(-) diff --git a/after-migration.sh b/after-migration.sh index 3afbd69..c816441 100755 --- a/after-migration.sh +++ b/after-migration.sh @@ -563,6 +563,186 @@ update_all_mailhosts() { } +#------------------------------------------------ +update_public_sshkeys() { + + local key_file="$1" + local uid= + local filter= + local cmd= + local dn= + local cn= + local key= + local line= + local out= + local oifs="${IFS}" + + local -a keys_to_have=() + local -a object_classes=() + local -a existing_keys=() + local -a keys_to_add=() + + empty_line + uid=$( basename "${key_file}" .pub ) + debug "Checking SSH keys of uid '${CYAN}${uid}${NORMAL}' ..." + + debug "Searching for DN of uid '${CYAN}${uid}${NORMAL}' ..." + filter="(&(objectClass=*)(uid=${uid}))" + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " + cmd+="-b \"${DPX_PEOPLE_SEARCH_BASE}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="\"${filter}\" dn | grep '^dn:' | sed -e 's/^dn:[ ][ ]*//i' | head -n 1" + # debug "Executing: ${cmd}" + dn=$( eval ${cmd} ) + + if [[ -z "${dn}" ]] ; then + warn "Did not found DN of uid '${YELLOW}${uid}${NORMAL}'." + return 0 + fi + debug "Found DN of '${CYAN}${uid}${NORMAL}': ${CYAN}${dn}${NORMAL}." + + IFS=" +" + + debug "Searching for Common name of uid '${CYAN}${uid}${NORMAL}' ..." + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " + cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="\"(objectClass=*)\" cn | grep -i '^cn:' | head -n 1" + # debug "Executing: ${cmd}" + value=$( eval ${cmd} ) + if [[ -n "${value}" ]] ; then + if echo "${value}" | grep -q -i "^cn::" ; then + cn=$( printf "${value}" | sed -e 's/^cn::[ ][ ]*//i' | base64 -d ) + else + cn=$( printf "${value}" | sed -e 's/^cn:[ ][ ]*//i' ) + fi + debug "Found Common name of uid '${CYAN}${uid}${NORMAL}': '${CYAN}${cn}${NORMAL}'." + else + warn "Did not found Common name of uid '${YELLOW}${uid}${NORMAL}'." + cn="${uid}" + fi + + debug "Reading configured keys from file '${CYAN}${key_file}${NORMAL}' ..." + for line in $( cat "${key_file}" | sort -i ) ; do + if echo "${line}" | grep -q -P '^\s*(#|$)' ; then + continue + fi + keys_to_have+=( "${line}" ) + done + IFS="${oifs}" + if [[ "${#keys_to_have[*]}" == "0" ]] ; then + info "No public keys defined for user ${CYAN}${cn}${NORMAL}." + return 0 + fi + debug "Found ${CYAN}${#keys_to_have[*]} SSH keys${NORMAL} to have." + + debug "Reading existing SSH keys for Common name ${CYAN}${cn}${NORMAL} ..." + cmd="ldapsearch -x -LLL -o ldif-wrap=no -H '${LDAP_URL}' " + cmd+="-b \"${dn}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\" " + cmd+="\"(objectClass=*)\" objectClass sshPublicKey | grep -E -i '^(objectClass|sshPublicKey):'" + debug "Executing: ${cmd}" + out==$( eval ${cmd} || true ) + + local has_ldap_public_key="n" + if echo "${out}" | grep -i '^objectClass:' | grep -q -i -w 'ldapPublicKey' ; then + has_ldap_public_key="y" + fi + + IFS=" +" + + for key in $( echo "${out}" | grep -i '^sshPublicKey:' | sed -e 's/^sshPublicKey:[ ][ ]*//i' | sort -i ) ; do + existing_keys+=( "${key}" ) + done + IFS="${oifs}" + debug "Found ${CYAN}${#existing_keys[*]} existing SSH keys${NORMAL}." + + local key1= + local key1_lc= + local key2= + local key2_lc= + local found= + for key1 in "${keys_to_have[@]}" ; do + found="n" + key1_lc=$( echo "${key1}" | tr '[:upper:]' '[:lower:]' ) + for key2 in "${existing_keys[@]}" ; do + key2_lc=$( echo "${key2}" | tr '[:upper:]' '[:lower:]' ) + if [[ "${key1_lc}" == "${key2_lc}" ]] ; then + found="y" + break + fi + done + if [[ "${found}" == "n" ]] ; then + keys_to_add+=( "${key1}" ) + fi + done + + if [[ "${has_ldap_public_key}" == "y" && "${#keys_to_add[*]}" == "0" ]] ; then + info "No changes on public SSH keys necessary for user ${CYAN}${cn}${NORMAL}." + return 0 + fi + + cat > "${LDIF_FILE}" <<-EOF + dn: ${dn} + changetype: modify + EOF + + if [[ "${has_ldap_public_key}" == "n" ]] ; then + info "Adding objectClass ${CYAN}ldapPublicKey${NORMAL} to user ${CYAN}${cn}${NORMAL} ..." + cat >> "${LDIF_FILE}" <<-EOF + add: objectClass + objectClass: ldapPublicKey + - + EOF + fi + + if [[ "${#keys_to_add[*]}" -gt 0 ]] ; then + info "Adding ${CYAN}${#keys_to_add[*]} public SSH key(s)${NORMAL} to user ${CYAN}${cn}${NORMAL} ..." + + echo "add: sshPublicKey" >> "${LDIF_FILE}" + for key in "${keys_to_add[@]}" ; do + cat >> "${LDIF_FILE}" <<-EOF + sshPublicKey: ${key} + EOF + done + echo "-" >> "${LDIF_FILE}" + fi + + echo '' >> "${LDIF_FILE}" + if [[ "${VERBOSE}" == "y" ]] ; then + debug "Resulting LDIF:" + cat "${LDIF_FILE}" + fi + + cmd="ldapmodify -H \"${LDAP_URL}\" -x -D \"${LDAP_USR}\" -y \"${LDAP_PWD_FILE}\"" + cmd+=" -f \"$( readlink -f "${LDIF_FILE}" )\"" + # debug "Executing: ${cmd}" + if [[ "${SIMULATE}" != "y" ]] ; then + eval $cmd + fi + debug "Done." +} + +#------------------------------------------------ +update_all_public_sshkeys() { + + empty_line + draw_line + info "Updating public SSH keys of users ..." + + local key_dir="ssh_keys" + if [[ ! -d "${key_dir}" ]] ; then + error "Directory for public SSH keys '${RED}${key_dir}${NORMAL}' not found." + exit 8 + fi + + local key_file= + + for key_file in "${key_dir}"/*.pub ; do + update_public_sshkeys "${key_file}" + done + +} + #------------------------------------------------ main() { @@ -575,8 +755,11 @@ main() { trap cleanup_tmp_file INT TERM EXIT ABRT update_passwords - # update_all_mailhosts + update_all_mailhosts + update_all_public_sshkeys + empty_line + info "Finished." } diff --git a/ssh_keys/markus.haebe.pub b/ssh_keys/markus.haebe.pub index bfacae3..f1116f4 100644 --- a/ssh_keys/markus.haebe.pub +++ b/ssh_keys/markus.haebe.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCts3q1SfbKSa39atsiuh54ZO2ABrVUuWdRqUDUepyQOMo2i3IT0NQGiCMxA4L/7xyGsITIOaRcBsr8vNsihkKcVCCqdzJQHW4BxNvotl9LVnxprvERl8DpYHo8HQgNg9l1q9faJVBuXmHBn4ar66Fd5TR5Qms9gYfDQPDNDhcHRYeWL1bDDMjNmuwCPOconSpKUfSEWfIINbmbrTwesYpyZUR9iedi4zA5hV9LL181/j1MX4kUjls8pYjUOr6jwt4n2QyixB1gRIMcQ9u72Z3yO/HDaGu7WWRR1PII76X+GxxG2ZPVs3VT+WFnBTO6Xvc683DUhJRj2YQTzW8KKpz Markus Häbe +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCts3q1SfbKSa39atsiuh54ZO2ABrVUuWdRqUDUepyQOMo2i3IT0NQGiCMxA4L/7xyGsITIOaRcBsr8vNsihkKcVCCqdzJQHW4BxNvotl9LVnxprvERl8DpYHo8HQgNg9l1q9faJVBuXmHBn4ar66Fd5TR5Qms9gYfDQPDNDhcHRYeWL1bDDMjNmuwCPOconSpKUfSEWfIINbmbrTwesYpyZUR9iedi4zA5hV9LL181/j1MX4kUjls8pYjUOr6jwt4n2QyixB1gRIMcQ9u72Z3yO/HDaGu7WWRR1PII76X+GxxG2ZPVs3VT+WFnBTO6Xvc683DUhJRj2YQTzW8KKpz Markus Haebe diff --git a/ssh_keys/oliver.boettcher.pub b/ssh_keys/oliver.boettcher.pub index ccf3f86..fc39802 100644 --- a/ssh_keys/oliver.boettcher.pub +++ b/ssh_keys/oliver.boettcher.pub @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkFtAEjXLw+ciUU2POb0rVRUyKu5hyyCauYDIYOJjMg5xX1iCb+bOEUY4CxbCptZ+RNk7lDa2vsmGVZfiJhg7dQRB0s4oxX0aZveTRIFxnz3P5MAUxx2rjRfRMg3MrHMUYhX4KDSygqZlAPO+oeV8pmpUyZk5UYl5A9n+IY+dWRyHZrU9wd9+ah8gAkaOAsho+GQD5iwy04RyE6roQEoOnSsNqRHKs94e0A9TQJcrnVDKHYruN8gDiUNgkYCIcRnqBXzs6i6qsUAC8tWE2XGXx1A5kB/3333u2p3BLX5nMPPFkOTxaIHvpK8xcKEBsTuMsxPu9JaqfIQmxNRMWv0VN Oliver Böttcher +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkFtAEjXLw+ciUU2POb0rVRUyKu5hyyCauYDIYOJjMg5xX1iCb+bOEUY4CxbCptZ+RNk7lDa2vsmGVZfiJhg7dQRB0s4oxX0aZveTRIFxnz3P5MAUxx2rjRfRMg3MrHMUYhX4KDSygqZlAPO+oeV8pmpUyZk5UYl5A9n+IY+dWRyHZrU9wd9+ah8gAkaOAsho+GQD5iwy04RyE6roQEoOnSsNqRHKs94e0A9TQJcrnVDKHYruN8gDiUNgkYCIcRnqBXzs6i6qsUAC8tWE2XGXx1A5kB/3333u2p3BLX5nMPPFkOTxaIHvpK8xcKEBsTuMsxPu9JaqfIQmxNRMWv0VN Oliver Boettcher -- 2.39.5