summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile.am16
-rw-r--r--contrib/sssd.spec.in4
-rw-r--r--src/man/Makefile.am3
-rw-r--r--src/man/sss_ssh_authorizedkeys.1.xml110
-rw-r--r--src/sss_client/ssh/sss_ssh_authorizedkeys.c130
5 files changed, 262 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index 1bc620926..908c4acc8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -61,6 +61,11 @@ dist_pkgconfig_DATA =
ACLOCAL_AMFLAGS = -I m4 -I .
+if BUILD_SSH
+bin_PROGRAMS = \
+ sss_ssh_authorizedkeys
+endif
+
sbin_PROGRAMS = \
sssd \
sss_useradd \
@@ -639,6 +644,16 @@ sss_sudo_cli_LDADD = \
libsss_sudo.la
endif
+if BUILD_SSH
+sss_ssh_authorizedkeys_SOURCES = \
+ src/sss_client/common.c \
+ src/sss_client/ssh/sss_ssh.c \
+ src/sss_client/ssh/sss_ssh_authorizedkeys.c
+sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS)
+sss_ssh_authorizedkeys_LDADD = \
+ libsss_util.la
+endif
+
#################
# Feature Tests #
#################
@@ -1321,6 +1336,7 @@ installsssddirs::
mkdir -p \
$(DESTDIR)$(includedir) \
$(DESTDIR)$(libdir) \
+ $(DESTDIR)$(bindir) \
$(DESTDIR)$(sbindir) \
$(DESTDIR)$(mandir) \
$(DESTDIR)$(pluginpath) \
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index bd94f8bb1..86aaef37e 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -314,6 +314,10 @@ rm -rf $RPM_BUILD_ROOT
/%{_lib}/libnss_sss.so.2
/%{_lib}/security/pam_sss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
+%if (0%{?enable_experimental} == 1)
+%{_bindir}/sss_ssh_authorizedkeys
+%endif
+%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
diff --git a/src/man/Makefile.am b/src/man/Makefile.am
index 31b5652fd..f6307715e 100644
--- a/src/man/Makefile.am
+++ b/src/man/Makefile.am
@@ -38,7 +38,8 @@ man_MANS = \
sssd.8 sssd.conf.5 sssd-ldap.5 \
sssd-krb5.5 sssd-ipa.5 sssd-simple.5 \
sssd_krb5_locator_plugin.8 sss_groupshow.8 \
- pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8
+ pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \
+ sss_ssh_authorizedkeys.1
EXTRA_DIST = $(man_MANS:%=%.xml) $(wildcard $(srcdir)/include/*.xml)
SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8
diff --git a/src/man/sss_ssh_authorizedkeys.1.xml b/src/man/sss_ssh_authorizedkeys.1.xml
new file mode 100644
index 000000000..c6315eebc
--- /dev/null
+++ b/src/man/sss_ssh_authorizedkeys.1.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sss_ssh_authorizedkeys</refname>
+ <refpurpose>get OpenSSH authorized keys</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv id='synopsis'>
+ <cmdsynopsis>
+ <command>sss_ssh_authorizedkeys</command>
+ <arg choice='opt'>
+ <replaceable>options</replaceable>
+ </arg>
+ <arg choice='plain'><replaceable>USER</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>sss_ssh_authorizedkeys</command> acquires SSH
+ public keys for user <replaceable>USER</replaceable> and
+ outputs them in OpenSSH authorized_keys format (see the
+ <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of
+ <citerefentry><refentrytitle>sshd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> for more
+ information).
+ </para>
+ <para>
+ <citerefentry><refentrytitle>sshd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> can be configured
+ to use <command>sss_ssh_authorizedkeys</command> for public
+ key user authentication if it is compiled with support for
+ either <quote>AuthorizedKeysCommand</quote> or
+ <quote>PubkeyAgent</quote> <citerefentry>
+ <refentrytitle>sshd_config</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry> options.
+ </para>
+ <para>
+ If <quote>AuthorizedKeysCommand</quote> is supported,
+ <citerefentry><refentrytitle>sshd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> can be configured to
+ use it by putting the following directive in <citerefentry>
+ <refentrytitle>sshd_config</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>:
+<programlisting>
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+</programlisting>
+ </para>
+ <para>
+ If <quote>PubkeyAgent</quote> is supported,
+ <citerefentry><refentrytitle>sshd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> can be configured to
+ use it by using the following directive for <citerefentry>
+ <refentrytitle>sshd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> configuration:
+<programlisting>
+PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u
+</programlisting>
+ </para>
+ <para>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/experimental.xml" />
+ </para>
+ </refsect1>
+
+ <refsect1 id='options'>
+ <title>OPTIONS</title>
+ <variablelist remap='IP'>
+ <varlistentry>
+ <term>
+ <option>-d</option>,<option>--domain</option>
+ <replaceable>DOMAIN</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>
diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
new file mode 100644
index 000000000..c8aa45c30
--- /dev/null
+++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c
@@ -0,0 +1,130 @@
+/*
+ Authors:
+ Jan Cholasta <jcholast@redhat.com>
+
+ Copyright (C) 2012 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <talloc.h>
+#include <popt.h>
+
+#include "util/util.h"
+#include "util/crypto/sss_crypto.h"
+#include "sss_client/sss_cli.h"
+#include "sss_client/ssh/sss_ssh.h"
+
+int main(int argc, const char **argv)
+{
+ TALLOC_CTX *mem_ctx;
+ int pc_debug = SSSDBG_DEFAULT;
+ const char *pc_domain = NULL;
+ const char *pc_user = NULL;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+ { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0,
+ _("The debug level to run with"), NULL },
+ { "domain", 'd', POPT_ARG_STRING, &pc_domain, 0,
+ _("The SSSD domain to use"), NULL },
+ POPT_TABLEEND
+ };
+ poptContext pc = NULL;
+ const char *user;
+ struct sss_ssh_pubkey *pubkeys;
+ size_t num_pubkeys, i;
+ char *repr;
+ int ret;
+
+ debug_prg_name = argv[0];
+
+ ret = set_locale();
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("set_locale() failed (%d): %s\n", ret, strerror(ret)));
+ ERROR("Error setting the locale\n");
+ ret = EXIT_FAILURE;
+ goto fini;
+ }
+
+ mem_ctx = talloc_new(NULL);
+ if (!mem_ctx) {
+ ERROR("Not enough memory\n");
+ ret = EXIT_FAILURE;
+ goto fini;
+ }
+
+ /* parse parameters */
+ pc = poptGetContext(NULL, argc, argv, long_options, 0);
+ poptSetOtherOptionHelp(pc, "USER");
+ while ((ret = poptGetNextOpt(pc)) > 0)
+ ;
+
+ debug_level = debug_convert_old_level(pc_debug);
+
+ if (ret != -1) {
+ BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini);
+ }
+
+ pc_user = poptGetArg(pc);
+ if (pc_user == NULL) {
+ BAD_POPT_PARAMS(pc, _("User not specified\n"), ret, fini);
+ }
+
+ /* append domain to username if domain is specified */
+ if (pc_domain) {
+ user = talloc_asprintf(mem_ctx, "%s@%s", pc_user, pc_domain);
+ if (!user) {
+ ERROR("Not enough memory\n");
+ ret = EXIT_FAILURE;
+ goto fini;
+ }
+ } else {
+ user = pc_user;
+ }
+
+ /* look up public keys */
+ ret = sss_ssh_get_pubkeys(mem_ctx, SSS_SSH_GET_USER_PUBKEYS, user,
+ &pubkeys, &num_pubkeys);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("sss_ssh_get_pubkeys() failed (%d): %s\n", ret, strerror(ret)));
+ ERROR("Error looking up public keys\n");
+ ret = EXIT_FAILURE;
+ goto fini;
+ }
+
+ /* print results */
+ for (i = 0; i < num_pubkeys; i++) {
+ ret = sss_ssh_format_pubkey(mem_ctx, &pubkeys[i],
+ SSS_SSH_FORMAT_OPENSSH, &repr);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("sss_ssh_format_pubkey() failed (%d): %s\n",
+ ret, strerror(ret)));
+ continue;
+ }
+
+ printf("%s\n", repr);
+ }
+
+ ret = EXIT_SUCCESS;
+
+fini:
+ poptFreeContext(pc);
+ talloc_free(mem_ctx);
+
+ return ret;
+}