Created
December 9, 2016 22:06
-
-
Save ooola/4ec351f1e0a8e1045ece031c74ed7d88 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# This script finds and prints authorized SSH public keys in LDAP for the | |
# username specified as the first argument. The SSH public key read from the | |
# streetAddress field. | |
# | |
# The program must be owned by root and not writable by group or others. | |
# It expects configuration file /etc/ssh/ldap.conf in format of ldap.conf(5). | |
# | |
# sshd_config for OpenSSH 6.2+: | |
# | |
# AuthorizedKeysCommand /usr/local/bin/get-sshkey-from-ldap | |
# AuthorizedKeysCommandUser nobody | |
# | |
# Based on https://gist.github.com/jirutka/b15c31b2739a4f3eab63 | |
# | |
set -eu | |
ldapserver='' | |
ldapuser='' | |
ldappass='' | |
ldapou='' | |
samaccountname="$1" | |
log() { | |
logger -s -t sshd -p "auth.$1" "$2" | |
} | |
if ! expr "$samaccountname" : '[a-zA-Z0-9._-]*$' 1>/dev/null; then | |
log err "invalid username: $samaccountname" | |
exit 1 | |
fi | |
keys=$(ldapsearch -H ldaps://$ldapserver -D $ldapuser \ | |
-w "$ldappass" -b "$ldapou" -LLL -o ldif-wrap=no \ | |
-s sub "(sAMAccountName=$samaccountname)" streetAddress \ | |
| sed -n 's/^streetAddress:\s*\(.*\)$/\1/p') | |
count=$(echo $keys | wc -l) | |
log info "Loaded $count SSH public key(s) from LDAP for user: $samaccountname" | |
echo "$keys" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment