summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2016-01-02 15:28:07 -0800
committerRobin H. Johnson <robbat2@gentoo.org>2016-01-02 15:29:29 -0800
commitfd568c0975ab6ef95dc75af7d888cdfa4177c374 (patch)
tree246680d39c5b8a8a0265a3e5b62d21059f738d50 /net-nds
parentlxqt-base/lxqt-panel: backport fix for LXQT issue 871 (diff)
downloadgentoo-fd568c0975ab6ef95dc75af7d888cdfa4177c374.tar.gz
gentoo-fd568c0975ab6ef95dc75af7d888cdfa4177c374.tar.bz2
gentoo-fd568c0975ab6ef95dc75af7d888cdfa4177c374.zip
net-nds/nsscache: backport LDAP fix, add safe AuthorizedKeysCommand (upstream example has security issue).
Package-Manager: portage-2.2.24
Diffstat (limited to 'net-nds')
-rw-r--r--net-nds/nsscache/files/authorized-keys-command.py52
-rw-r--r--net-nds/nsscache/files/nsscache-0.30-ldapssh.patch41
-rw-r--r--net-nds/nsscache/nsscache-0.30-r1.ebuild46
3 files changed, 139 insertions, 0 deletions
diff --git a/net-nds/nsscache/files/authorized-keys-command.py b/net-nds/nsscache/files/authorized-keys-command.py
new file mode 100644
index 00000000000..085be71d67c
--- /dev/null
+++ b/net-nds/nsscache/files/authorized-keys-command.py
@@ -0,0 +1,52 @@
+#!/usr/bin/python
+# vim: ts=4 sts=4 et:
+# pylint: disable=invalid-name
+"""
+OpenSSH AuthorizedKeysCommand: NSSCache input
+Copyright 2016 Gentoo Foundation
+Distributed is distributed under the BSD license.
+
+This script returns one or more authorized keys for use by SSH, by extracting
+them from a local cache file /etc/sshkey.cache.
+
+Two variants are supported, based on the existing nsscache code:
+Format 1:
+ username:key1
+ username:key2
+Format 2:
+ username:['key1', 'key2']
+
+Ensure this script is mentioned in the sshd_config like so:
+AuthorizedKeysCommand /path/to/nsscache/authorized-keys-command.py
+"""
+from __future__ import print_function
+from ast import literal_eval
+from os.path import basename
+import sys
+import errno
+
+SSHKEY_CACHE = '/etc/sshkey.cache'
+
+if __name__ == "__main__":
+ if len(sys.argv) != 2:
+ sys.exit("Usage: %s %s" % (basename(sys.argv[0]), 'USERNAME'))
+
+ try:
+ with open(SSHKEY_CACHE, 'r') as f:
+ for line in f:
+ (username, key) = line.split(':', 1)
+ if username != sys.argv[1]:
+ continue
+ key = key.strip()
+ if key.startswith("[") and key.endswith("]"):
+ # Python array
+ for i in literal_eval(key):
+ print(i.strip())
+ else:
+ # Raw key
+ print(key)
+ except IOError as err:
+ if err.errno in [errno.EPERM, errno.ENOENT]:
+ pass
+ else:
+ raise err
diff --git a/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch
new file mode 100644
index 00000000000..59adde1eac0
--- /dev/null
+++ b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch
@@ -0,0 +1,41 @@
+From cc0f2d7485205d6f9b8c434cb0da292e12448216 Mon Sep 17 00:00:00 2001
+From: Thomas Glanzmann <thomas@glanzmann.de>
+Date: Wed, 2 Sep 2015 17:01:40 +0200
+Subject: [PATCH] Provider parameter when calling SshkeyUpdateGetter in order
+ to fix sshkey
+
+Without this change retrieving the map sshkey results in the following exception:
+
+(localhost) [~/work/nsscache] nsscache update
+Traceback (most recent call last):
+ File "/usr/bin/nsscache", line 33, in <module>
+ return_value = nsscache_app.Run(sys.argv[1:], os.environ)
+ File "/usr/lib/python2.6/site-packages/nss_cache/app.py", line 240, in Run
+ retval = command_callable().Run(conf=conf, args=args)
+ File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 230, in Run
+ force_lock=options.force_lock)
+ File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 303, in UpdateMaps
+ force_write=force_write)
+ File "/usr/lib/python2.6/site-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource
+ force_write, location=None)
+ File "/usr/lib/python2.6/site-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource
+ location=location)
+ File "/usr/lib/python2.6/site-packages/nss_cache/sources/source.py", line 65, in GetMap
+ return self.GetSshkeyMap(since)
+ File "/usr/lib/python2.6/site-packages/nss_cache/sources/ldapsource.py", line 274, in GetSshkeyMap
+ return SshkeyUpdateGetter().GetUpdates(source=self,
+TypeError: __init__() takes exactly 2 arguments (1 given)
+
+diff --git a/nss_cache/sources/ldapsource.py b/nss_cache/sources/ldapsource.py
+index 2af170e..5ffea81 100644
+--- a/nss_cache/sources/ldapsource.py
++++ b/nss_cache/sources/ldapsource.py
+@@ -271,7 +271,7 @@ class LdapSource(source.Source):
+ Returns:
+ instance of maps.SshkeyMap
+ """
+- return SshkeyUpdateGetter().GetUpdates(source=self,
++ return SshkeyUpdateGetter(self.conf).GetUpdates(source=self,
+ search_base=self.conf['base'],
+ search_filter=self.conf['filter'],
+ search_scope=self.conf['scope'],
diff --git a/net-nds/nsscache/nsscache-0.30-r1.ebuild b/net-nds/nsscache/nsscache-0.30-r1.ebuild
new file mode 100644
index 00000000000..e34e87b6cc7
--- /dev/null
+++ b/net-nds/nsscache/nsscache-0.30-r1.ebuild
@@ -0,0 +1,46 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 )
+
+inherit eutils distutils-r1
+
+DESCRIPTION="commandline tool to sync directory services to local cache"
+HOMEPAGE="https://github.com/google/nsscache"
+SRC_URI="https://github.com/google/nsscache/archive/version/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+IUSE="nssdb nsscache"
+
+DEPEND="${PYTHON_DEPS}
+ dev-python/python-ldap[${PYTHON_USEDEP}]
+ dev-python/pycurl[${PYTHON_USEDEP}]
+ dev-python/bsddb3[${PYTHON_USEDEP}]"
+RDEPEND="${DEPEND}
+ nssdb? ( sys-libs/nss-db )
+ nsscache? ( >=sys-auth/libnss-cache-0.10 )"
+RESTRICT="test"
+S="${WORKDIR}/${PN}-version-${PV}"
+
+src_prepare() {
+ find "${S}" -name '*.py' -exec \
+ sed -i '/^import bsddb$/s,bsddb,bsddb3 as bsddb,g' \
+ {} \+
+ distutils-r1_src_prepare
+}
+
+src_install() {
+ distutils-r1_src_install
+
+ doman nsscache.1 nsscache.conf.5
+ dodoc THANKS nsscache.cron CONTRIBUTING.md README.md
+ exeinto /usr/libexec/nsscache
+ doexe $FILESDIR/authorized-keys-command.py
+
+ keepdir /var/lib/nsscache
+}