summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2009-12-03 12:23:38 -0800
committerStephen Hemminger <stephen.hemminger@vyatta.com>2009-12-03 12:23:38 -0800
commita907683b2f0b69581bc8c770020702c18e112e87 (patch)
treeb7ae6a06d0f6bdffdf259f582275456867eb175a
parent102bab7843f56b9b8c43bac5690d9afd5f894737 (diff)
parentbb4083fa12386e9417e4dbae38325deb03d821e7 (diff)
downloadvyatta-cfg-quagga-a907683b2f0b69581bc8c770020702c18e112e87.tar.gz
vyatta-cfg-quagga-a907683b2f0b69581bc8c770020702c18e112e87.zip
Merge branch 'kenwood' of 192.168.100.1:git/vyatta-cfg-system into kenwood
-rwxr-xr-xlib/Vyatta/Login/User.pm65
-rw-r--r--templates/service/ssh/allow-root/node.def15
-rw-r--r--templates/service/ssh/disable-password-authentication/node.def5
-rw-r--r--templates/service/ssh/password-authentication/node.def14
-rw-r--r--templates/system/login/user/node.tag/authorized-keys/node.def16
-rw-r--r--templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def2
-rw-r--r--templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def4
7 files changed, 85 insertions, 36 deletions
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm
index cca84636..f6706e4e 100755
--- a/lib/Vyatta/Login/User.pm
+++ b/lib/Vyatta/Login/User.pm
@@ -96,7 +96,6 @@ sub _protected_users {
return @protected;
}
-
# make list of vyatta users (ie. users of vbash)
sub _vyatta_users {
my @vusers;
@@ -113,6 +112,48 @@ sub _vyatta_users {
return @vusers;
}
+sub set_authorized_keys {
+ my $user = shift;
+ my $config = new Vyatta::Config;
+ $config->setLevel("system login user $user authorized-keys");
+ my @keys = $config->listNodes();
+ return unless @keys;
+
+ # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire)
+ # = getpw*
+ my (undef, undef, $uid, $gid, undef, undef, undef, $home)
+ = getpwnam($user);
+ return unless $home;
+ return unless -d $home;
+
+ my $sshdir = "$home/.ssh";
+ unless (-d $sshdir) {
+ mkdir $sshdir;
+ chown ($uid, $gid, $sshdir);
+ }
+
+ my $auth;
+ unless (open (my $auth, "$sshdir/authorized_keys")) {
+ warn "open $sshdir/authorized_keys failed: $!";
+ return;
+ }
+
+ select $auth;
+ print "# Automatically generated by Vyatta configuration\n";
+ print "# Do not edit, all changes will be lost\n";
+ foreach my $key (@keys) {
+ my $type = $config->returnValue("$key key-type");
+ print "$type $key";
+
+ my $comment = $config->returnValue("$key description");
+ print " $comment" if $comment;
+
+ print "\n";
+ }
+ select STDOUT;
+ close $auth;
+}
+
sub update {
my $membership = get_groups();
my $uconfig = new Vyatta::Config;
@@ -175,19 +216,23 @@ sub update {
&& $og_str eq $ng_str) {
# If no part of password or group file changed
# then there is nothing to do here.
- next;
+ $cmd = undef;
} else {
$cmd = "usermod";
}
- $cmd .= " -p '$pwd'";
- $cmd .= " -c \"$fname\"" if ( defined $fname );
- $cmd .= " -d \"$home\"" if ( defined $home );
- $cmd .= ' -G ' . join( ',', @new_groups );
- system("sudo $cmd $user");
- next if ( $? == 0 );
- my $reason = $reasons{ ( $? >> 8 ) };
- die "Attempt to change user $user failed: $reason\n";
+ if (defined $cmd) {
+ $cmd .= " -p '$pwd'";
+ $cmd .= " -c \"$fname\"" if ( defined $fname );
+ $cmd .= " -d \"$home\"" if ( defined $home );
+ $cmd .= ' -G ' . join( ',', @new_groups );
+ system("sudo $cmd $user");
+ next if ( $? == 0 );
+ my $reason = $reasons{ ( $? >> 8 ) };
+ die "Attempt to change user $user failed: $reason\n";
+ }
+
+ set_authorized_keys($user);
}
}
diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def
index 25a5a97a..1c56d221 100644
--- a/templates/service/ssh/allow-root/node.def
+++ b/templates/service/ssh/allow-root/node.def
@@ -1,14 +1,5 @@
-type: bool
-default: false
-help: Enable/disable root login over ssh
-update: if [ "$VAR(@)" == "true" ];
- then regex='/^PermitRootLogin/s/no/yes/'
- else regex='/^PermitRootLogin/s/yes/no/'
- fi
- sudo sed -i -e "$regex" /etc/ssh/sshd_config
+help: Enable root login over ssh
-comp_help: possible completions:
- true Enable root login over ssh
- false Disable root login over ssh
+update: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config
-allowed: echo "true false"
+delete: sudo sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
diff --git a/templates/service/ssh/disable-password-authentication/node.def b/templates/service/ssh/disable-password-authentication/node.def
new file mode 100644
index 00000000..59abacfc
--- /dev/null
+++ b/templates/service/ssh/disable-password-authentication/node.def
@@ -0,0 +1,5 @@
+help: Don't allow unknown user to login with password
+
+update: sudo sed -i -e '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config
+
+delete: sudo sed -i -e '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config
diff --git a/templates/service/ssh/password-authentication/node.def b/templates/service/ssh/password-authentication/node.def
deleted file mode 100644
index c17dd47c..00000000
--- a/templates/service/ssh/password-authentication/node.def
+++ /dev/null
@@ -1,14 +0,0 @@
-type: bool
-default: true
-help: Allow user's to login with password
-update: if [ "$VAR(@)" == "true" ];
- then regex='/^PasswordAuthentication/s/no/yes/'
- else regex='/^PasswordAuthentication/s/yes/no/'
- fi
- sudo sed -i -e "$regex" /etc/ssh/sshd_config
-
-comp_help: possible completions:
- true Allow authentication with password
- false Disable authentication with password (secure)
-
-allowed: echo "true false"
diff --git a/templates/system/login/user/node.tag/authorized-keys/node.def b/templates/system/login/user/node.tag/authorized-keys/node.def
new file mode 100644
index 00000000..4ca232f8
--- /dev/null
+++ b/templates/system/login/user/node.tag/authorized-keys/node.def
@@ -0,0 +1,16 @@
+tag:
+type: txt
+help: Set public keys for authorized login
+
+syntax:expression: pattern $VAR(@) "^[0-9A-Za-z+/=]*$" ; "Invalid public key not base-64"
+
+commit:expression: $VAR(key-type) != "" ; "key-type must be specified"
+
+comp_help:
+ Public key of remote user allowed to login without password
+ The key must be encode as base-64 text string. The key is usually
+ several hundred bytes long (because of the size of the public key
+ encoding). You don't want to type them in; instead, use the
+ script ssh-load-key to set them.
+
+
diff --git a/templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def b/templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def
new file mode 100644
index 00000000..7c81ff12
--- /dev/null
+++ b/templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Ssh public-key description (usually user@host)
diff --git a/templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def b/templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def
new file mode 100644
index 00000000..54482824
--- /dev/null
+++ b/templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def
@@ -0,0 +1,4 @@
+type: txt
+help: Public key type
+allowed: echo "ssh-dsa ssh-rsa"
+syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dsa"