[Mageia-sysadm] [262] - import mandriva script to export ssh keys ( need some cleaning )

root at mageia.org root at mageia.org
Wed Nov 17 15:17:29 CET 2010


Revision: 262
Author:   misc
Date:     2010-11-17 15:17:29 +0100 (Wed, 17 Nov 2010)
Log Message:
-----------
- import mandriva script to export ssh keys ( need some cleaning )

Modified Paths:
--------------
    puppet/modules/restrictshell/manifests/init.pp

Added Paths:
-----------
    puppet/modules/restrictshell/templates/ldap-sshkey2file.py

Modified: puppet/modules/restrictshell/manifests/init.pp
===================================================================
--- puppet/modules/restrictshell/manifests/init.pp	2010-11-17 02:45:43 UTC (rev 261)
+++ puppet/modules/restrictshell/manifests/init.pp	2010-11-17 14:17:29 UTC (rev 262)
@@ -26,4 +26,21 @@
     mode => 755,
     content => template("restrictshell/membersh-conf.pl"),
   }
+
+  package { 'python-ldap':
+    ensure => installed,
+  }
+
+  file { '/usr/local/bin/ldap-sshkey2file.py':
+    ensure => present,
+    owner => root,
+    group => root,
+    mode => 755,
+    content => template("restrictshell/ldap-sshkey2file.py"),
+    requires => Package['python-ldap']
+  } 
+
+
+
+
 }

Added: puppet/modules/restrictshell/templates/ldap-sshkey2file.py
===================================================================
--- puppet/modules/restrictshell/templates/ldap-sshkey2file.py	                        (rev 0)
+++ puppet/modules/restrictshell/templates/ldap-sshkey2file.py	2010-11-17 14:17:29 UTC (rev 262)
@@ -0,0 +1,92 @@
+#!/usr/bin/python
+
+import sys
+import os
+import random
+
+try:
+    import ldap
+except ImportError, e:
+    print "Please install python-ldap before running this program"
+    sys.exit(1)
+
+basedn="dc=mandriva,dc=com"
+peopledn="ou=people,%s" % basedn
+uris=['ldap://kenobi.mandriva.com','ldap://svn.mandriva.com']
+random.shuffle(uris)
+uri = " ".join(uris)
+timeout=5
+binddn="uid=sshkeyreader,ou=System Accounts,%s" % basedn
+pwfile="/etc/sshkeyreader.pw"
+# filter out disabled accounts also
+# too bad uidNumber doesn't support >= filters
+filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*)(!(shadowExpire=*)))"
+keypathprefix="/var/lib/config/pubkeys"
+
+def usage():
+    print "%s" % sys.argv[0]
+    print
+    print "Will fetch all enabled user accounts under %s" % peopledn
+    print "with ssh keys in them and write each one to"
+    print "%s/<login>/authorized_keys" % keypathprefix
+    print
+    print "This script is intented to be run from cron as root"
+    print
+
+def get_pw(pwfile):
+    try:
+        f = open(pwfile, 'r')
+    except IOError, e:
+        print "Error while reading password file, aborting"
+        print e
+        sys.exit(1)
+    pw = f.readline().strip()
+    f.close()
+    return pw
+
+def write_keys(keys, user, uid, gid):
+    try:
+        os.makedirs("%s/%s" % (keypathprefix,user), 0700)
+    except:
+        pass
+    keyfile = "%s/%s/authorized_keys" % (keypathprefix,user)
+    f = open(keyfile, 'w')
+    for key in keys:
+        f.write(key.strip() + "\n")
+    f.close()
+    os.chmod(keyfile, 0600)
+    os.chown(keyfile, uid, gid)
+    os.chmod("%s/%s" % (keypathprefix,user), 0700)
+    os.chown("%s/%s" % (keypathprefix,user), uid, gid)
+
+if len(sys.argv) != 1:
+    usage()
+    sys.exit(1)
+
+bindpw = get_pw(pwfile)
+
+try:
+    ld = ldap.initialize(uri)
+    ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout)
+    ld.start_tls_s()
+    ld.bind_s(binddn, bindpw)
+    res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber'])
+    try:
+        os.makedirs(keypathprefix, 0701)
+    except:
+        pass
+    for result in res:
+        dn, entry = result
+        # skip possible system users
+        if int(entry['uidNumber'][0]) < 500:
+            continue
+        write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0]))
+    ld.unbind_s()
+except Exception, e:
+    print "Error"
+    raise
+
+sys.exit(0)
+
+
+# vim:ts=4:sw=4:et:ai:si


Property changes on: puppet/modules/restrictshell/templates/ldap-sshkey2file.py
___________________________________________________________________
Added: svn:executable
   + *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-sysadm/attachments/20101117/f94d7af2/attachment.html>


More information about the Mageia-sysadm mailing list