1 |
commit: fd568c0975ab6ef95dc75af7d888cdfa4177c374 |
2 |
Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jan 2 23:28:07 2016 +0000 |
4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jan 2 23:29:29 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd568c09 |
7 |
|
8 |
net-nds/nsscache: backport LDAP fix, add safe AuthorizedKeysCommand (upstream example has security issue). |
9 |
|
10 |
Package-Manager: portage-2.2.24 |
11 |
|
12 |
net-nds/nsscache/files/authorized-keys-command.py | 52 ++++++++++++++++++++++ |
13 |
net-nds/nsscache/files/nsscache-0.30-ldapssh.patch | 41 +++++++++++++++++ |
14 |
net-nds/nsscache/nsscache-0.30-r1.ebuild | 46 +++++++++++++++++++ |
15 |
3 files changed, 139 insertions(+) |
16 |
|
17 |
diff --git a/net-nds/nsscache/files/authorized-keys-command.py b/net-nds/nsscache/files/authorized-keys-command.py |
18 |
new file mode 100644 |
19 |
index 0000000..085be71 |
20 |
--- /dev/null |
21 |
+++ b/net-nds/nsscache/files/authorized-keys-command.py |
22 |
@@ -0,0 +1,52 @@ |
23 |
+#!/usr/bin/python |
24 |
+# vim: ts=4 sts=4 et: |
25 |
+# pylint: disable=invalid-name |
26 |
+""" |
27 |
+OpenSSH AuthorizedKeysCommand: NSSCache input |
28 |
+Copyright 2016 Gentoo Foundation |
29 |
+Distributed is distributed under the BSD license. |
30 |
+ |
31 |
+This script returns one or more authorized keys for use by SSH, by extracting |
32 |
+them from a local cache file /etc/sshkey.cache. |
33 |
+ |
34 |
+Two variants are supported, based on the existing nsscache code: |
35 |
+Format 1: |
36 |
+ username:key1 |
37 |
+ username:key2 |
38 |
+Format 2: |
39 |
+ username:['key1', 'key2'] |
40 |
+ |
41 |
+Ensure this script is mentioned in the sshd_config like so: |
42 |
+AuthorizedKeysCommand /path/to/nsscache/authorized-keys-command.py |
43 |
+""" |
44 |
+from __future__ import print_function |
45 |
+from ast import literal_eval |
46 |
+from os.path import basename |
47 |
+import sys |
48 |
+import errno |
49 |
+ |
50 |
+SSHKEY_CACHE = '/etc/sshkey.cache' |
51 |
+ |
52 |
+if __name__ == "__main__": |
53 |
+ if len(sys.argv) != 2: |
54 |
+ sys.exit("Usage: %s %s" % (basename(sys.argv[0]), 'USERNAME')) |
55 |
+ |
56 |
+ try: |
57 |
+ with open(SSHKEY_CACHE, 'r') as f: |
58 |
+ for line in f: |
59 |
+ (username, key) = line.split(':', 1) |
60 |
+ if username != sys.argv[1]: |
61 |
+ continue |
62 |
+ key = key.strip() |
63 |
+ if key.startswith("[") and key.endswith("]"): |
64 |
+ # Python array |
65 |
+ for i in literal_eval(key): |
66 |
+ print(i.strip()) |
67 |
+ else: |
68 |
+ # Raw key |
69 |
+ print(key) |
70 |
+ except IOError as err: |
71 |
+ if err.errno in [errno.EPERM, errno.ENOENT]: |
72 |
+ pass |
73 |
+ else: |
74 |
+ raise err |
75 |
|
76 |
diff --git a/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch |
77 |
new file mode 100644 |
78 |
index 0000000..59adde1 |
79 |
--- /dev/null |
80 |
+++ b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch |
81 |
@@ -0,0 +1,41 @@ |
82 |
+From cc0f2d7485205d6f9b8c434cb0da292e12448216 Mon Sep 17 00:00:00 2001 |
83 |
+From: Thomas Glanzmann <thomas@×××××××××.de> |
84 |
+Date: Wed, 2 Sep 2015 17:01:40 +0200 |
85 |
+Subject: [PATCH] Provider parameter when calling SshkeyUpdateGetter in order |
86 |
+ to fix sshkey |
87 |
+ |
88 |
+Without this change retrieving the map sshkey results in the following exception: |
89 |
+ |
90 |
+(localhost) [~/work/nsscache] nsscache update |
91 |
+Traceback (most recent call last): |
92 |
+ File "/usr/bin/nsscache", line 33, in <module> |
93 |
+ return_value = nsscache_app.Run(sys.argv[1:], os.environ) |
94 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/app.py", line 240, in Run |
95 |
+ retval = command_callable().Run(conf=conf, args=args) |
96 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 230, in Run |
97 |
+ force_lock=options.force_lock) |
98 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 303, in UpdateMaps |
99 |
+ force_write=force_write) |
100 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource |
101 |
+ force_write, location=None) |
102 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource |
103 |
+ location=location) |
104 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/sources/source.py", line 65, in GetMap |
105 |
+ return self.GetSshkeyMap(since) |
106 |
+ File "/usr/lib/python2.6/site-packages/nss_cache/sources/ldapsource.py", line 274, in GetSshkeyMap |
107 |
+ return SshkeyUpdateGetter().GetUpdates(source=self, |
108 |
+TypeError: __init__() takes exactly 2 arguments (1 given) |
109 |
+ |
110 |
+diff --git a/nss_cache/sources/ldapsource.py b/nss_cache/sources/ldapsource.py |
111 |
+index 2af170e..5ffea81 100644 |
112 |
+--- a/nss_cache/sources/ldapsource.py |
113 |
++++ b/nss_cache/sources/ldapsource.py |
114 |
+@@ -271,7 +271,7 @@ class LdapSource(source.Source): |
115 |
+ Returns: |
116 |
+ instance of maps.SshkeyMap |
117 |
+ """ |
118 |
+- return SshkeyUpdateGetter().GetUpdates(source=self, |
119 |
++ return SshkeyUpdateGetter(self.conf).GetUpdates(source=self, |
120 |
+ search_base=self.conf['base'], |
121 |
+ search_filter=self.conf['filter'], |
122 |
+ search_scope=self.conf['scope'], |
123 |
|
124 |
diff --git a/net-nds/nsscache/nsscache-0.30-r1.ebuild b/net-nds/nsscache/nsscache-0.30-r1.ebuild |
125 |
new file mode 100644 |
126 |
index 0000000..e34e87b |
127 |
--- /dev/null |
128 |
+++ b/net-nds/nsscache/nsscache-0.30-r1.ebuild |
129 |
@@ -0,0 +1,46 @@ |
130 |
+# Copyright 1999-2015 Gentoo Foundation |
131 |
+# Distributed under the terms of the GNU General Public License v2 |
132 |
+# $Id$ |
133 |
+ |
134 |
+EAPI=5 |
135 |
+PYTHON_COMPAT=( python2_7 ) |
136 |
+ |
137 |
+inherit eutils distutils-r1 |
138 |
+ |
139 |
+DESCRIPTION="commandline tool to sync directory services to local cache" |
140 |
+HOMEPAGE="https://github.com/google/nsscache" |
141 |
+SRC_URI="https://github.com/google/nsscache/archive/version/${PV}.tar.gz -> ${P}.tar.gz" |
142 |
+ |
143 |
+LICENSE="GPL-2" |
144 |
+SLOT="0" |
145 |
+KEYWORDS="~amd64 ~x86" |
146 |
+REQUIRED_USE="${PYTHON_REQUIRED_USE}" |
147 |
+IUSE="nssdb nsscache" |
148 |
+ |
149 |
+DEPEND="${PYTHON_DEPS} |
150 |
+ dev-python/python-ldap[${PYTHON_USEDEP}] |
151 |
+ dev-python/pycurl[${PYTHON_USEDEP}] |
152 |
+ dev-python/bsddb3[${PYTHON_USEDEP}]" |
153 |
+RDEPEND="${DEPEND} |
154 |
+ nssdb? ( sys-libs/nss-db ) |
155 |
+ nsscache? ( >=sys-auth/libnss-cache-0.10 )" |
156 |
+RESTRICT="test" |
157 |
+S="${WORKDIR}/${PN}-version-${PV}" |
158 |
+ |
159 |
+src_prepare() { |
160 |
+ find "${S}" -name '*.py' -exec \ |
161 |
+ sed -i '/^import bsddb$/s,bsddb,bsddb3 as bsddb,g' \ |
162 |
+ {} \+ |
163 |
+ distutils-r1_src_prepare |
164 |
+} |
165 |
+ |
166 |
+src_install() { |
167 |
+ distutils-r1_src_install |
168 |
+ |
169 |
+ doman nsscache.1 nsscache.conf.5 |
170 |
+ dodoc THANKS nsscache.cron CONTRIBUTING.md README.md |
171 |
+ exeinto /usr/libexec/nsscache |
172 |
+ doexe $FILESDIR/authorized-keys-command.py |
173 |
+ |
174 |
+ keepdir /var/lib/nsscache |
175 |
+} |