| 1 |
commit: fd568c0975ab6ef95dc75af7d888cdfa4177c374 |
| 2 |
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sat Jan 2 23:28:07 2016 +0000 |
| 4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Jan 2 23:29:29 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd568c09 |
| 7 |
|
| 8 |
net-nds/nsscache: backport LDAP fix, add safe AuthorizedKeysCommand (upstream example has security issue). |
| 9 |
|
| 10 |
Package-Manager: portage-2.2.24 |
| 11 |
|
| 12 |
net-nds/nsscache/files/authorized-keys-command.py | 52 ++++++++++++++++++++++ |
| 13 |
net-nds/nsscache/files/nsscache-0.30-ldapssh.patch | 41 +++++++++++++++++ |
| 14 |
net-nds/nsscache/nsscache-0.30-r1.ebuild | 46 +++++++++++++++++++ |
| 15 |
3 files changed, 139 insertions(+) |
| 16 |
|
| 17 |
diff --git a/net-nds/nsscache/files/authorized-keys-command.py b/net-nds/nsscache/files/authorized-keys-command.py |
| 18 |
new file mode 100644 |
| 19 |
index 0000000..085be71 |
| 20 |
--- /dev/null |
| 21 |
+++ b/net-nds/nsscache/files/authorized-keys-command.py |
| 22 |
@@ -0,0 +1,52 @@ |
| 23 |
+#!/usr/bin/python |
| 24 |
+# vim: ts=4 sts=4 et: |
| 25 |
+# pylint: disable=invalid-name |
| 26 |
+""" |
| 27 |
+OpenSSH AuthorizedKeysCommand: NSSCache input |
| 28 |
+Copyright 2016 Gentoo Foundation |
| 29 |
+Distributed is distributed under the BSD license. |
| 30 |
+ |
| 31 |
+This script returns one or more authorized keys for use by SSH, by extracting |
| 32 |
+them from a local cache file /etc/sshkey.cache. |
| 33 |
+ |
| 34 |
+Two variants are supported, based on the existing nsscache code: |
| 35 |
+Format 1: |
| 36 |
+ username:key1 |
| 37 |
+ username:key2 |
| 38 |
+Format 2: |
| 39 |
+ username:['key1', 'key2'] |
| 40 |
+ |
| 41 |
+Ensure this script is mentioned in the sshd_config like so: |
| 42 |
+AuthorizedKeysCommand /path/to/nsscache/authorized-keys-command.py |
| 43 |
+""" |
| 44 |
+from __future__ import print_function |
| 45 |
+from ast import literal_eval |
| 46 |
+from os.path import basename |
| 47 |
+import sys |
| 48 |
+import errno |
| 49 |
+ |
| 50 |
+SSHKEY_CACHE = '/etc/sshkey.cache' |
| 51 |
+ |
| 52 |
+if __name__ == "__main__": |
| 53 |
+ if len(sys.argv) != 2: |
| 54 |
+ sys.exit("Usage: %s %s" % (basename(sys.argv[0]), 'USERNAME')) |
| 55 |
+ |
| 56 |
+ try: |
| 57 |
+ with open(SSHKEY_CACHE, 'r') as f: |
| 58 |
+ for line in f: |
| 59 |
+ (username, key) = line.split(':', 1) |
| 60 |
+ if username != sys.argv[1]: |
| 61 |
+ continue |
| 62 |
+ key = key.strip() |
| 63 |
+ if key.startswith("[") and key.endswith("]"): |
| 64 |
+ # Python array |
| 65 |
+ for i in literal_eval(key): |
| 66 |
+ print(i.strip()) |
| 67 |
+ else: |
| 68 |
+ # Raw key |
| 69 |
+ print(key) |
| 70 |
+ except IOError as err: |
| 71 |
+ if err.errno in [errno.EPERM, errno.ENOENT]: |
| 72 |
+ pass |
| 73 |
+ else: |
| 74 |
+ raise err |
| 75 |
|
| 76 |
diff --git a/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch |
| 77 |
new file mode 100644 |
| 78 |
index 0000000..59adde1 |
| 79 |
--- /dev/null |
| 80 |
+++ b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch |
| 81 |
@@ -0,0 +1,41 @@ |
| 82 |
+From cc0f2d7485205d6f9b8c434cb0da292e12448216 Mon Sep 17 00:00:00 2001 |
| 83 |
+From: Thomas Glanzmann <thomas@×××××××××.de> |
| 84 |
+Date: Wed, 2 Sep 2015 17:01:40 +0200 |
| 85 |
+Subject: [PATCH] Provider parameter when calling SshkeyUpdateGetter in order |
| 86 |
+ to fix sshkey |
| 87 |
+ |
| 88 |
+Without this change retrieving the map sshkey results in the following exception: |
| 89 |
+ |
| 90 |
+(localhost) [~/work/nsscache] nsscache update |
| 91 |
+Traceback (most recent call last): |
| 92 |
+ File "/usr/bin/nsscache", line 33, in <module> |
| 93 |
+ return_value = nsscache_app.Run(sys.argv[1:], os.environ) |
| 94 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/app.py", line 240, in Run |
| 95 |
+ retval = command_callable().Run(conf=conf, args=args) |
| 96 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 230, in Run |
| 97 |
+ force_lock=options.force_lock) |
| 98 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 303, in UpdateMaps |
| 99 |
+ force_write=force_write) |
| 100 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource |
| 101 |
+ force_write, location=None) |
| 102 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource |
| 103 |
+ location=location) |
| 104 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/sources/source.py", line 65, in GetMap |
| 105 |
+ return self.GetSshkeyMap(since) |
| 106 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/sources/ldapsource.py", line 274, in GetSshkeyMap |
| 107 |
+ return SshkeyUpdateGetter().GetUpdates(source=self, |
| 108 |
+TypeError: __init__() takes exactly 2 arguments (1 given) |
| 109 |
+ |
| 110 |
+diff --git a/nss_cache/sources/ldapsource.py b/nss_cache/sources/ldapsource.py |
| 111 |
+index 2af170e..5ffea81 100644 |
| 112 |
+--- a/nss_cache/sources/ldapsource.py |
| 113 |
++++ b/nss_cache/sources/ldapsource.py |
| 114 |
+@@ -271,7 +271,7 @@ class LdapSource(source.Source): |
| 115 |
+ Returns: |
| 116 |
+ instance of maps.SshkeyMap |
| 117 |
+ """ |
| 118 |
+- return SshkeyUpdateGetter().GetUpdates(source=self, |
| 119 |
++ return SshkeyUpdateGetter(self.conf).GetUpdates(source=self, |
| 120 |
+ search_base=self.conf['base'], |
| 121 |
+ search_filter=self.conf['filter'], |
| 122 |
+ search_scope=self.conf['scope'], |
| 123 |
|
| 124 |
diff --git a/net-nds/nsscache/nsscache-0.30-r1.ebuild b/net-nds/nsscache/nsscache-0.30-r1.ebuild |
| 125 |
new file mode 100644 |
| 126 |
index 0000000..e34e87b |
| 127 |
--- /dev/null |
| 128 |
+++ b/net-nds/nsscache/nsscache-0.30-r1.ebuild |
| 129 |
@@ -0,0 +1,46 @@ |
| 130 |
+# Copyright 1999-2015 Gentoo Foundation |
| 131 |
+# Distributed under the terms of the GNU General Public License v2 |
| 132 |
+# $Id$ |
| 133 |
+ |
| 134 |
+EAPI=5 |
| 135 |
+PYTHON_COMPAT=( python2_7 ) |
| 136 |
+ |
| 137 |
+inherit eutils distutils-r1 |
| 138 |
+ |
| 139 |
+DESCRIPTION="commandline tool to sync directory services to local cache" |
| 140 |
+HOMEPAGE="https://github.com/google/nsscache" |
| 141 |
+SRC_URI="https://github.com/google/nsscache/archive/version/${PV}.tar.gz -> ${P}.tar.gz" |
| 142 |
+ |
| 143 |
+LICENSE="GPL-2" |
| 144 |
+SLOT="0" |
| 145 |
+KEYWORDS="~amd64 ~x86" |
| 146 |
+REQUIRED_USE="${PYTHON_REQUIRED_USE}" |
| 147 |
+IUSE="nssdb nsscache" |
| 148 |
+ |
| 149 |
+DEPEND="${PYTHON_DEPS} |
| 150 |
+ dev-python/python-ldap[${PYTHON_USEDEP}] |
| 151 |
+ dev-python/pycurl[${PYTHON_USEDEP}] |
| 152 |
+ dev-python/bsddb3[${PYTHON_USEDEP}]" |
| 153 |
+RDEPEND="${DEPEND} |
| 154 |
+ nssdb? ( sys-libs/nss-db ) |
| 155 |
+ nsscache? ( >=sys-auth/libnss-cache-0.10 )" |
| 156 |
+RESTRICT="test" |
| 157 |
+S="${WORKDIR}/${PN}-version-${PV}" |
| 158 |
+ |
| 159 |
+src_prepare() { |
| 160 |
+ find "${S}" -name '*.py' -exec \ |
| 161 |
+ sed -i '/^import bsddb$/s,bsddb,bsddb3 as bsddb,g' \ |
| 162 |
+ {} \+ |
| 163 |
+ distutils-r1_src_prepare |
| 164 |
+} |
| 165 |
+ |
| 166 |
+src_install() { |
| 167 |
+ distutils-r1_src_install |
| 168 |
+ |
| 169 |
+ doman nsscache.1 nsscache.conf.5 |
| 170 |
+ dodoc THANKS nsscache.cron CONTRIBUTING.md README.md |
| 171 |
+ exeinto /usr/libexec/nsscache |
| 172 |
+ doexe $FILESDIR/authorized-keys-command.py |
| 173 |
+ |
| 174 |
+ keepdir /var/lib/nsscache |
| 175 |
+} |
Archives