diff options
| author | Markus Krogh <markus@nordu.net> | 2018-06-06 13:07:43 +0200 |
|---|---|---|
| committer | Markus Krogh <markus@nordu.net> | 2018-06-06 13:07:43 +0200 |
| commit | 0c57aa6636e1d33bcac8a54f7fa575a43cdf1b2a (patch) | |
| tree | 25dabfaa913b586a7ea19e880c723d2c4f56c7ba | |
Initial cf-replace
| -rw-r--r-- | cf-replace | 5 | ||||
| -rwxr-xr-x | install.sh | 21 | ||||
| -rw-r--r-- | ssh-keys.sh | 52 |
3 files changed, 78 insertions, 0 deletions
diff --git a/cf-replace b/cf-replace new file mode 100644 index 0000000..bd2d1f3 --- /dev/null +++ b/cf-replace @@ -0,0 +1,5 @@ +SHELL=/bin/bash +MAILTO="markus@nordu.net" +# Minute Hour Day of Month Month Day of Week User Command +# CF engine replacement scripts +*/15 * * * * root sleep $[ ( $RANDOM \% 120 ) + 1 ]s ; /usr/local/bin/ssh-keys.sh diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..cfd9891 --- /dev/null +++ b/install.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +MAILTO=${MAILTO:-markus@nordu.net} +CROND_FILE=/etc/cron.d/cf-replace +SSH_KEYS_PATH=/usr/local/bin/ssh-keys.sh +SSH_URL= +CROND_URL= + +if ! curl -s --show-error "$SSH_URL" > "$SSH_KEYS_PATH"; then + echo "Failed to get ssh-keys.sh file" + exit 1 +fi + +chmod +x "$SSH_KEYS_PATH" + +if ! curl -s --show-error "$CROND_URL" > "$CROND_FILE"; then + echo "Failed to get cf-replace cron file" + test -f "$CROND_FILE" && rm "$CROND_FILE" + exit 1 +fi +sed -i -e "/MAILTO/ s/markus@nordu.net/$MAILTO/" "$CROND_FILE" +echo "cf-replace has been installed to $CROND_FILE" diff --git a/ssh-keys.sh b/ssh-keys.sh new file mode 100644 index 0000000..68f8d0c --- /dev/null +++ b/ssh-keys.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +## check if ldapsearch is installed +if ! which ldapsearch >> /dev/null; then + if ! apt-get install -y -qq ldap-utils >> /dev/null; then + echo "Failed to install ldap-utils" + exit 1 + fi +fi + +DRY_RUN=false +if [ "$1" == "-n" ]; then + DRY_RUN=true +fi + +sunetEmpl="leif leifj lundberg linus per john" +ignoreList="ndn-eduix nunoc" +for userHome in /home/*; do + user=$(basename "$userHome") + keys_raw=$(/usr/bin/ldapsearch -o nettimeout=5 -o ldif-wrap=no -LLL -x -H "ldap://ldap1.nordu.net" -b "ou=people,dc=nordu,dc=net" "(&(employeeType=employee)(memberof=cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net)(sshPublicKey=*)(uid=$user))" sshPublicKey) + search_status=$? + + if [ "$search_status" -ne 0 ]; then + echo "Ldap search failed for $user with status $search_status, ignoring" + continue + fi + + keys=$(echo "$keys_raw" | grep '^sshPublicKey' | cut -f 2- -d' ') + authorized_keys="/home/$user/.ssh/authorized_keys" + if grep -q "$user" <<< "$sunetEmpl"; then + # skip SUNET people + keys="" + fi + if grep -q "$user" <<< "$ignoreList"; then + # skip certain users + continue + fi + if [ -n "$keys" ]; then + # write authorized_keys + if $DRY_RUN; then + echo "$user" + else + echo "$keys" > "$authorized_keys" + fi + else + # blank authorized_keys + if $DRY_RUN; then + echo "!$user" + else + echo "" > "$authorized_keys" + fi + fi +done |