Created
July 8, 2014 12:24
-
-
Save koenpunt/40c0b042c453a1add0e8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # $Id: ldap_ssh_key.sh 138 2013-09-14 08:24:39Z jmorano $ | |
| # | |
| # Check if the user is in the right group | |
| # and afterwards retrieve the SSH public key from LDAP | |
| # Logs directly in Syslog | |
| # | |
| # | |
| # sshd_config for OpenSSH 6.2 or higher: | |
| # | |
| # AuthorizedKeysCommand /usr/local/bin/ldap_keys.sh | |
| # AuthorizedKeysCommandUser nobody | |
| # | |
| LDAP_SERVER="ldap-server" | |
| BASE_DN="ou=users,dc=company,dc=example,dc=com" | |
| ALLOWED_GROUP="6667" | |
| # load local configuration if available | |
| if [ -f /etc/example/ldap.cfg ]; then | |
| . /etc/example/ldap.cfg | |
| fi | |
| SSH_USER=$1 | |
| if id "${SSH_USER}" | egrep -q "${ALLOWED_GROUP}"; | |
| then | |
| logger -t sshd -p info "User $SSH_USER is a member of the group" | |
| else | |
| logger -t sshd -p warn "User $SSH_USER is not allowed to log in, access denied" | |
| echo | |
| exit 0 | |
| fi | |
| KEY=$(ldapsearch -o ldif-wrap=no -S sshPublicKey -c -h "${LDAP_SERVER}" -b "${BASE_DN}" -x -LLL "uid=${SSH_USER}" sshPublicKey | grep -v 'dn:' | perl -pe 's/sshPublicKey: //;') | |
| logger -t sshd -p info "Sent LDAP SSH public key for user $SSH_USER" | |
| echo "${KEY}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment