diff options
7 files changed, 85 insertions, 36 deletions
diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index cca84636..f6706e4e 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -96,7 +96,6 @@ sub _protected_users { return @protected; } - # make list of vyatta users (ie. users of vbash) sub _vyatta_users { my @vusers; @@ -113,6 +112,48 @@ sub _vyatta_users { return @vusers; } +sub set_authorized_keys { + my $user = shift; + my $config = new Vyatta::Config; + $config->setLevel("system login user $user authorized-keys"); + my @keys = $config->listNodes(); + return unless @keys; + + # ($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell,$expire) + # = getpw* + my (undef, undef, $uid, $gid, undef, undef, undef, $home) + = getpwnam($user); + return unless $home; + return unless -d $home; + + my $sshdir = "$home/.ssh"; + unless (-d $sshdir) { + mkdir $sshdir; + chown ($uid, $gid, $sshdir); + } + + my $auth; + unless (open (my $auth, "$sshdir/authorized_keys")) { + warn "open $sshdir/authorized_keys failed: $!"; + return; + } + + select $auth; + print "# Automatically generated by Vyatta configuration\n"; + print "# Do not edit, all changes will be lost\n"; + foreach my $key (@keys) { + my $type = $config->returnValue("$key key-type"); + print "$type $key"; + + my $comment = $config->returnValue("$key description"); + print " $comment" if $comment; + + print "\n"; + } + select STDOUT; + close $auth; +} + sub update { my $membership = get_groups(); my $uconfig = new Vyatta::Config; @@ -175,19 +216,23 @@ sub update { && $og_str eq $ng_str) { # If no part of password or group file changed # then there is nothing to do here. - next; + $cmd = undef; } else { $cmd = "usermod"; } - $cmd .= " -p '$pwd'"; - $cmd .= " -c \"$fname\"" if ( defined $fname ); - $cmd .= " -d \"$home\"" if ( defined $home ); - $cmd .= ' -G ' . join( ',', @new_groups ); - system("sudo $cmd $user"); - next if ( $? == 0 ); - my $reason = $reasons{ ( $? >> 8 ) }; - die "Attempt to change user $user failed: $reason\n"; + if (defined $cmd) { + $cmd .= " -p '$pwd'"; + $cmd .= " -c \"$fname\"" if ( defined $fname ); + $cmd .= " -d \"$home\"" if ( defined $home ); + $cmd .= ' -G ' . join( ',', @new_groups ); + system("sudo $cmd $user"); + next if ( $? == 0 ); + my $reason = $reasons{ ( $? >> 8 ) }; + die "Attempt to change user $user failed: $reason\n"; + } + + set_authorized_keys($user); } } diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 25a5a97a..1c56d221 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,14 +1,5 @@ -type: bool -default: false -help: Enable/disable root login over ssh -update: if [ "$VAR(@)" == "true" ]; - then regex='/^PermitRootLogin/s/no/yes/' - else regex='/^PermitRootLogin/s/yes/no/' - fi - sudo sed -i -e "$regex" /etc/ssh/sshd_config +help: Enable root login over ssh -comp_help: possible completions: - true Enable root login over ssh - false Disable root login over ssh +update: sudo sed -i -e '/^PermitRootLogin/s/no/yes/' /etc/ssh/sshd_config -allowed: echo "true false" +delete: sudo sed -i -e '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config diff --git a/templates/service/ssh/disable-password-authentication/node.def b/templates/service/ssh/disable-password-authentication/node.def new file mode 100644 index 00000000..59abacfc --- /dev/null +++ b/templates/service/ssh/disable-password-authentication/node.def @@ -0,0 +1,5 @@ +help: Don't allow unknown user to login with password + +update: sudo sed -i -e '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config + +delete: sudo sed -i -e '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config diff --git a/templates/service/ssh/password-authentication/node.def b/templates/service/ssh/password-authentication/node.def deleted file mode 100644 index c17dd47c..00000000 --- a/templates/service/ssh/password-authentication/node.def +++ /dev/null @@ -1,14 +0,0 @@ -type: bool -default: true -help: Allow user's to login with password -update: if [ "$VAR(@)" == "true" ]; - then regex='/^PasswordAuthentication/s/no/yes/' - else regex='/^PasswordAuthentication/s/yes/no/' - fi - sudo sed -i -e "$regex" /etc/ssh/sshd_config - -comp_help: possible completions: - true Allow authentication with password - false Disable authentication with password (secure) - -allowed: echo "true false" diff --git a/templates/system/login/user/node.tag/authorized-keys/node.def b/templates/system/login/user/node.tag/authorized-keys/node.def new file mode 100644 index 00000000..4ca232f8 --- /dev/null +++ b/templates/system/login/user/node.tag/authorized-keys/node.def @@ -0,0 +1,16 @@ +tag: +type: txt +help: Set public keys for authorized login + +syntax:expression: pattern $VAR(@) "^[0-9A-Za-z+/=]*$" ; "Invalid public key not base-64" + +commit:expression: $VAR(key-type) != "" ; "key-type must be specified" + +comp_help: + Public key of remote user allowed to login without password + The key must be encode as base-64 text string. The key is usually + several hundred bytes long (because of the size of the public key + encoding). You don't want to type them in; instead, use the + script ssh-load-key to set them. + + diff --git a/templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def b/templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def new file mode 100644 index 00000000..7c81ff12 --- /dev/null +++ b/templates/system/login/user/node.tag/authorized-keys/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Ssh public-key description (usually user@host) diff --git a/templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def b/templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def new file mode 100644 index 00000000..54482824 --- /dev/null +++ b/templates/system/login/user/node.tag/authorized-keys/node.tag/key-type/node.def @@ -0,0 +1,4 @@ +type: txt +help: Public key type +allowed: echo "ssh-dsa ssh-rsa" +syntax:expression: $VAR(@) in "ssh-rsa", "ssh-dsa" |