diff options
| author | William A. Kennington III <wak@google.com> | 2021-03-31 13:16:39 +0300 |
|---|---|---|
| committer | William A. Kennington III <wak@google.com> | 2021-04-17 01:17:40 +0300 |
| commit | 920f3c0ffc05f170f65868cd3e448d76c2023e53 (patch) | |
| tree | 7242f9e751a5f442c49878920e4ca3fc1a53826c /meta-google/recipes-google/ssh/authorized-keys-comp | |
| parent | 24f5130a0e89073c27f8b7f108d308531c4d5843 (diff) | |
| download | openbmc-920f3c0ffc05f170f65868cd3e448d76c2023e53.tar.xz | |
meta-google: authorized-keys-comp: Add package
This adds a startup routine that compiles an authorized_keys file from
multiple locations in the filesystem, allowing for multiple providers
without clashing.
Change-Id: Ib26e04af42f29d42410154fdd809aa3a525fc9d5
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google/recipes-google/ssh/authorized-keys-comp')
| -rw-r--r-- | meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.service | 6 | ||||
| -rw-r--r-- | meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.sh | 51 |
2 files changed, 57 insertions, 0 deletions
diff --git a/meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.service b/meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.service new file mode 100644 index 0000000000..92f9b2699b --- /dev/null +++ b/meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.service @@ -0,0 +1,6 @@ +[Service] +Type=oneshot +ExecStart=/usr/libexec/authorized-keys-comp.sh + +[Install] +WantedBy=multi-user.target diff --git a/meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.sh b/meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.sh new file mode 100644 index 0000000000..caff0a7a46 --- /dev/null +++ b/meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.sh @@ -0,0 +1,51 @@ +#!/bin/bash +shopt -s nullglob + +# We want to iterate over all system users, check if they are opted-in to ssh +# authorized_keys building, and then construct their keyfile +for user in $(cut -d':' -f1 /etc/passwd); do + home="$(eval echo ~$user)" || continue + link="$(readlink $home/.ssh/authorized_keys 2>/dev/null)" || continue + # Users are only opted-in if they symlink to our well-known directory where + # the final output of this script lives. + if [ "$link" != "/run/authorized_keys/$user" ]; then + echo "Ignoring $user $home/.ssh/authorized_keys" >&2 + continue + fi + + echo "Updating $link" >&2 + declare -A basemap=() + declare -a dirs=( + "/usr/share/authorized_keys.d/$user" + "$home/.ssh/authorized_keys.d" + "/run/authorized_keys.d/$user" + ) + # Build a map that can be used for sorting directories by their priority + # and prioritizing the last listed directories over the later ones. We + # append a counter to ensure that there is a stable sorting mechanism for + # duplicate filenames. Duplicate filenames will be overridden by higher + # priority directories. + # Ex. + # /usr/share/authorized_keys.d/root/10-key + # /usr/share/authorized_keys.d/root/15-key + # /run/authorized_keys.d/root/10-key + # /run/authorized_keys.d/root/20-key + # Becomes + # ["10-key"]="/run/authorized_keys.d/root/10-key" + # ["15-key"]="/usr/share/authorized_keys.d/root/15-key" + # ["20-key"]="/run/authorized_keys.d/root/20-key" + for dir in "${dirs[@]}"; do + for file in "$dir"/*; do + basemap["${file##*/}"]="$file" + done + done + rm -f /run/authorized_keys.tmp + touch /run/authorized_keys.tmp + for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do + echo " Including ${basemap[$key]}" >&2 + cat "${basemap[$key]}" >>/run/authorized_keys.tmp + done + mkdir -p /run/authorized_keys + mv /run/authorized_keys.tmp /run/authorized_keys/$user + chown $user /run/authorized_keys/$user +done |