SSH: OpenSSH authorized_keys client

3 files changed, 242 insertions, 1 deletions

diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 31b5652fd..f6307715e 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -38,7 +38,8 @@ man_MANS = \
     sssd.8 sssd.conf.5 sssd-ldap.5 \
     sssd-krb5.5 sssd-ipa.5 sssd-simple.5 \
     sssd_krb5_locator_plugin.8 sss_groupshow.8 \
-    pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8
+    pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \
+    sss_ssh_authorizedkeys.1
 EXTRA_DIST = $(man_MANS:%=%.xml) $(wildcard $(srcdir)/include/*.xml)
 
 SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
diff --git a/src/man/sss_ssh_authorizedkeys.1.xml b/src/man/sss_ssh_authorizedkeys.1.xml
new file mode 100644
index 000000000..c6315eebc
--- /dev/null
+++ b/src/man/sss_ssh_authorizedkeys.1.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+    <refmeta>
+        <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
+        <manvolnum>1</manvolnum>
+    </refmeta>
+
+    <refnamediv id='name'>
+        <refname>sss_ssh_authorizedkeys</refname>
+        <refpurpose>get OpenSSH authorized keys</refpurpose>
+    </refnamediv>
+
+    <refsynopsisdiv id='synopsis'>
+        <cmdsynopsis>
+            <command>sss_ssh_authorizedkeys</command>
+            <arg choice='opt'>
+                <replaceable>options</replaceable>
+            </arg>
+            <arg choice='plain'><replaceable>USER</replaceable></arg>
+        </cmdsynopsis>
+    </refsynopsisdiv>
+
+    <refsect1 id='description'>
+        <title>DESCRIPTION</title>
+        <para>
+            <command>sss_ssh_authorizedkeys</command> acquires SSH
+            public keys for user <replaceable>USER</replaceable> and
+            outputs them in OpenSSH authorized_keys format (see the
+            <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of
+            <citerefentry><refentrytitle>sshd</refentrytitle>
+            <manvolnum>8</manvolnum></citerefentry> for more
+            information).
+        </para>
+        <para>
+            <citerefentry><refentrytitle>sshd</refentrytitle>
+            <manvolnum>8</manvolnum></citerefentry> can be configured
+            to use <command>sss_ssh_authorizedkeys</command> for public
+            key user authentication if it is compiled with support for
+            either <quote>AuthorizedKeysCommand</quote> or
+            <quote>PubkeyAgent</quote> <citerefentry>
+            <refentrytitle>sshd_config</refentrytitle>
+            <manvolnum>5</manvolnum></citerefentry> options.
+        </para>
+        <para>
+            If <quote>AuthorizedKeysCommand</quote> is supported,
+            <citerefentry><refentrytitle>sshd</refentrytitle>
+            <manvolnum>8</manvolnum></citerefentry> can be configured to
+            use it by putting the following directive in <citerefentry>
+            <refentrytitle>sshd_config</refentrytitle>
+            <manvolnum>5</manvolnum></citerefentry>:
+<programlisting>
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+</programlisting>
+        </para>
+        <para>
+            If <quote>PubkeyAgent</quote> is supported,
+            <citerefentry><refentrytitle>sshd</refentrytitle>
+            <manvolnum>8</manvolnum></citerefentry> can be configured to
+            use it by using the following directive for <citerefentry>
+            <refentrytitle>sshd</refentrytitle>
+            <manvolnum>8</manvolnum></citerefentry> configuration:
+<programlisting>
+PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u
+</programlisting>
+        </para>
+        <para>
+            <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/experimental.xml" />
+        </para>
+    </refsect1>
+
+    <refsect1 id='options'>
+        <title>OPTIONS</title>
+        <variablelist remap='IP'>
+            <varlistentry>
+                <term>
+                    <option>-d</option>,<option>--domain</option>
+                    <replaceable>DOMAIN</replaceable>
+                </term>
+                <listitem>
+                    <para>
+                        Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>.
+                    </para>
+                </listitem>
+            </varlistentry>
+            <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+        </variablelist>
+    </refsect1>
+
+    <refsect1 id='see_also'>
+        <title>SEE ALSO</title>
+        <para>
+            <citerefentry>
+                <refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum>
+            </citerefentry>,
+            <citerefentry>
+                <refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum>
+            </citerefentry>,
+            <citerefentry>
+                <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle><manvolnum>1</manvolnum>
+            </citerefentry>.
+        </para>
+    </refsect1>
+</refentry>
+</reference>
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
new file mode 100644
index 000000000..c8aa45c30
--- /dev/null
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -0,0 +1,130 @@
+/*
+    Authors:
+        Jan Cholasta <jcholast@redhat.com>
+
+    Copyright (C) 2012 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <talloc.h>
+#include <popt.h>
+
+#include "util/util.h"
+#include "util/crypto/sss_crypto.h"
+#include "sss_client/sss_cli.h"
+#include "sss_client/ssh/sss_ssh.h"
+
+int main(int argc, const char **argv)
+{
+    TALLOC_CTX *mem_ctx;
+    int pc_debug = SSSDBG_DEFAULT;
+    const char *pc_domain = NULL;
+    const char *pc_user = NULL;
+    struct poptOption long_options[] = {
+        POPT_AUTOHELP
+        { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0,
+          _("The debug level to run with"), NULL },
+        { "domain", 'd', POPT_ARG_STRING, &pc_domain, 0,
+          _("The SSSD domain to use"), NULL },
+        POPT_TABLEEND
+    };
+    poptContext pc = NULL;
+    const char *user;
+    struct sss_ssh_pubkey *pubkeys;
+    size_t num_pubkeys, i;
+    char *repr;
+    int ret;
+
+    debug_prg_name = argv[0];
+
+    ret = set_locale();
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              ("set_locale() failed (%d): %s\n", ret, strerror(ret)));
+        ERROR("Error setting the locale\n");
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
+
+    mem_ctx = talloc_new(NULL);
+    if (!mem_ctx) {
+        ERROR("Not enough memory\n");
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
+
+    /* parse parameters */
+    pc = poptGetContext(NULL, argc, argv, long_options, 0);
+    poptSetOtherOptionHelp(pc, "USER");
+    while ((ret = poptGetNextOpt(pc)) > 0)
+        ;
+
+    debug_level = debug_convert_old_level(pc_debug);
+
+    if (ret != -1) {
+        BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini);
+    }
+
+    pc_user = poptGetArg(pc);
+    if (pc_user == NULL) {
+        BAD_POPT_PARAMS(pc, _("User not specified\n"), ret, fini);
+    }
+
+    /* append domain to username if domain is specified */
+    if (pc_domain) {
+        user = talloc_asprintf(mem_ctx, "%s@%s", pc_user, pc_domain);
+        if (!user) {
+            ERROR("Not enough memory\n");
+            ret = EXIT_FAILURE;
+            goto fini;
+        }
+    } else {
+        user = pc_user;
+    }
+
+    /* look up public keys */
+    ret = sss_ssh_get_pubkeys(mem_ctx, SSS_SSH_GET_USER_PUBKEYS, user,
+                              &pubkeys, &num_pubkeys);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              ("sss_ssh_get_pubkeys() failed (%d): %s\n", ret, strerror(ret)));
+        ERROR("Error looking up public keys\n");
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
+
+    /* print results */
+    for (i = 0; i < num_pubkeys; i++) {
+        ret = sss_ssh_format_pubkey(mem_ctx, &pubkeys[i],
+                                    SSS_SSH_FORMAT_OPENSSH, &repr);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                    ("sss_ssh_format_pubkey() failed (%d): %s\n",
+                     ret, strerror(ret)));
+            continue;
+        }
+
+        printf("%s\n", repr);
+    }
+
+    ret = EXIT_SUCCESS;
+
+fini:
+    poptFreeContext(pc);
+    talloc_free(mem_ctx);
+
+    return ret;
+}