diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2012-02-03 22:55:33 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-02-07 00:26:57 +0100 |
| commit | 558998ce664055a75595371118f818084d8f2b23 (patch) | |
| tree | 41d8a8b4a279a92f554539d7dbfdfbd1d93fb0a2 | |
| parent | 347f7c4d1e8e83fc7ffcaf9524a67e8b3ad5d7c5 (diff) | |
| download | sssd-558998ce664055a75595371118f818084d8f2b23.tar.gz sssd-558998ce664055a75595371118f818084d8f2b23.tar.xz sssd-558998ce664055a75595371118f818084d8f2b23.zip | |
SSH: OpenSSH authorized_keys client
| -rw-r--r-- | Makefile.am | 16 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 4 | ||||
| -rw-r--r-- | src/man/Makefile.am | 3 | ||||
| -rw-r--r-- | src/man/sss_ssh_authorizedkeys.1.xml | 110 | ||||
| -rw-r--r-- | src/sss_client/ssh/sss_ssh_authorizedkeys.c | 130 |
5 files changed, 262 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index 1bc620926..908c4acc8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -61,6 +61,11 @@ dist_pkgconfig_DATA = ACLOCAL_AMFLAGS = -I m4 -I . +if BUILD_SSH +bin_PROGRAMS = \ + sss_ssh_authorizedkeys +endif + sbin_PROGRAMS = \ sssd \ sss_useradd \ @@ -639,6 +644,16 @@ sss_sudo_cli_LDADD = \ libsss_sudo.la endif +if BUILD_SSH +sss_ssh_authorizedkeys_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/ssh/sss_ssh.c \ + src/sss_client/ssh/sss_ssh_authorizedkeys.c +sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) +sss_ssh_authorizedkeys_LDADD = \ + libsss_util.la +endif + ################# # Feature Tests # ################# @@ -1321,6 +1336,7 @@ installsssddirs:: mkdir -p \ $(DESTDIR)$(includedir) \ $(DESTDIR)$(libdir) \ + $(DESTDIR)$(bindir) \ $(DESTDIR)$(sbindir) \ $(DESTDIR)$(mandir) \ $(DESTDIR)$(pluginpath) \ diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index bd94f8bb1..86aaef37e 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -314,6 +314,10 @@ rm -rf $RPM_BUILD_ROOT /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +%if (0%{?enable_experimental} == 1) +%{_bindir}/sss_ssh_authorizedkeys +%endif +%{_mandir}/man1/sss_ssh_authorizedkeys.1* %{_mandir}/man8/pam_sss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 31b5652fd..f6307715e 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -38,7 +38,8 @@ man_MANS = \ sssd.8 sssd.conf.5 sssd-ldap.5 \ sssd-krb5.5 sssd-ipa.5 sssd-simple.5 \ sssd_krb5_locator_plugin.8 sss_groupshow.8 \ - pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 + pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \ + sss_ssh_authorizedkeys.1 EXTRA_DIST = $(man_MANS:%=%.xml) $(wildcard $(srcdir)/include/*.xml) SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 diff --git a/src/man/sss_ssh_authorizedkeys.1.xml b/src/man/sss_ssh_authorizedkeys.1.xml new file mode 100644 index 000000000..c6315eebc --- /dev/null +++ b/src/man/sss_ssh_authorizedkeys.1.xml @@ -0,0 +1,110 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> + <manvolnum>1</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_ssh_authorizedkeys</refname> + <refpurpose>get OpenSSH authorized keys</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> + <command>sss_ssh_authorizedkeys</command> + <arg choice='opt'> + <replaceable>options</replaceable> + </arg> + <arg choice='plain'><replaceable>USER</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + <command>sss_ssh_authorizedkeys</command> acquires SSH + public keys for user <replaceable>USER</replaceable> and + outputs them in OpenSSH authorized_keys format (see the + <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of + <citerefentry><refentrytitle>sshd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> for more + information). + </para> + <para> + <citerefentry><refentrytitle>sshd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> can be configured + to use <command>sss_ssh_authorizedkeys</command> for public + key user authentication if it is compiled with support for + either <quote>AuthorizedKeysCommand</quote> or + <quote>PubkeyAgent</quote> <citerefentry> + <refentrytitle>sshd_config</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> options. + </para> + <para> + If <quote>AuthorizedKeysCommand</quote> is supported, + <citerefentry><refentrytitle>sshd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> can be configured to + use it by putting the following directive in <citerefentry> + <refentrytitle>sshd_config</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>: +<programlisting> +AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys +</programlisting> + </para> + <para> + If <quote>PubkeyAgent</quote> is supported, + <citerefentry><refentrytitle>sshd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> can be configured to + use it by using the following directive for <citerefentry> + <refentrytitle>sshd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> configuration: +<programlisting> +PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u +</programlisting> + </para> + <para> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/experimental.xml" /> + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPTIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-d</option>,<option>--domain</option> + <replaceable>DOMAIN</replaceable> + </term> + <listitem> + <para> + Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>. + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c new file mode 100644 index 000000000..c8aa45c30 --- /dev/null +++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c @@ -0,0 +1,130 @@ +/* + Authors: + Jan Cholasta <jcholast@redhat.com> + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <stdio.h> +#include <talloc.h> +#include <popt.h> + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "sss_client/sss_cli.h" +#include "sss_client/ssh/sss_ssh.h" + +int main(int argc, const char **argv) +{ + TALLOC_CTX *mem_ctx; + int pc_debug = SSSDBG_DEFAULT; + const char *pc_domain = NULL; + const char *pc_user = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, + _("The debug level to run with"), NULL }, + { "domain", 'd', POPT_ARG_STRING, &pc_domain, 0, + _("The SSSD domain to use"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + const char *user; + struct sss_ssh_pubkey *pubkeys; + size_t num_pubkeys, i; + char *repr; + int ret; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("set_locale() failed (%d): %s\n", ret, strerror(ret))); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + mem_ctx = talloc_new(NULL); + if (!mem_ctx) { + ERROR("Not enough memory\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "USER"); + while ((ret = poptGetNextOpt(pc)) > 0) + ; + + debug_level = debug_convert_old_level(pc_debug); + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + pc_user = poptGetArg(pc); + if (pc_user == NULL) { + BAD_POPT_PARAMS(pc, _("User not specified\n"), ret, fini); + } + + /* append domain to username if domain is specified */ + if (pc_domain) { + user = talloc_asprintf(mem_ctx, "%s@%s", pc_user, pc_domain); + if (!user) { + ERROR("Not enough memory\n"); + ret = EXIT_FAILURE; + goto fini; + } + } else { + user = pc_user; + } + + /* look up public keys */ + ret = sss_ssh_get_pubkeys(mem_ctx, SSS_SSH_GET_USER_PUBKEYS, user, + &pubkeys, &num_pubkeys); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("sss_ssh_get_pubkeys() failed (%d): %s\n", ret, strerror(ret))); + ERROR("Error looking up public keys\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* print results */ + for (i = 0; i < num_pubkeys; i++) { + ret = sss_ssh_format_pubkey(mem_ctx, &pubkeys[i], + SSS_SSH_FORMAT_OPENSSH, &repr); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("sss_ssh_format_pubkey() failed (%d): %s\n", + ret, strerror(ret))); + continue; + } + + printf("%s\n", repr); + } + + ret = EXIT_SUCCESS; + +fini: + poptFreeContext(pc); + talloc_free(mem_ctx); + + return ret; +} |