From fd568c0975ab6ef95dc75af7d888cdfa4177c374 Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Sat, 2 Jan 2016 15:28:07 -0800 Subject: net-nds/nsscache: backport LDAP fix, add safe AuthorizedKeysCommand (upstream example has security issue). Package-Manager: portage-2.2.24 --- net-nds/nsscache/files/authorized-keys-command.py | 52 ++++++++++++++++++++++ net-nds/nsscache/files/nsscache-0.30-ldapssh.patch | 41 +++++++++++++++++ net-nds/nsscache/nsscache-0.30-r1.ebuild | 46 +++++++++++++++++++ 3 files changed, 139 insertions(+) create mode 100644 net-nds/nsscache/files/authorized-keys-command.py create mode 100644 net-nds/nsscache/files/nsscache-0.30-ldapssh.patch create mode 100644 net-nds/nsscache/nsscache-0.30-r1.ebuild (limited to 'net-nds') diff --git a/net-nds/nsscache/files/authorized-keys-command.py b/net-nds/nsscache/files/authorized-keys-command.py new file mode 100644 index 000000000000..085be71d67c1 --- /dev/null +++ b/net-nds/nsscache/files/authorized-keys-command.py @@ -0,0 +1,52 @@ +#!/usr/bin/python +# vim: ts=4 sts=4 et: +# pylint: disable=invalid-name +""" +OpenSSH AuthorizedKeysCommand: NSSCache input +Copyright 2016 Gentoo Foundation +Distributed is distributed under the BSD license. + +This script returns one or more authorized keys for use by SSH, by extracting +them from a local cache file /etc/sshkey.cache. + +Two variants are supported, based on the existing nsscache code: +Format 1: + username:key1 + username:key2 +Format 2: + username:['key1', 'key2'] + +Ensure this script is mentioned in the sshd_config like so: +AuthorizedKeysCommand /path/to/nsscache/authorized-keys-command.py +""" +from __future__ import print_function +from ast import literal_eval +from os.path import basename +import sys +import errno + +SSHKEY_CACHE = '/etc/sshkey.cache' + +if __name__ == "__main__": + if len(sys.argv) != 2: + sys.exit("Usage: %s %s" % (basename(sys.argv[0]), 'USERNAME')) + + try: + with open(SSHKEY_CACHE, 'r') as f: + for line in f: + (username, key) = line.split(':', 1) + if username != sys.argv[1]: + continue + key = key.strip() + if key.startswith("[") and key.endswith("]"): + # Python array + for i in literal_eval(key): + print(i.strip()) + else: + # Raw key + print(key) + except IOError as err: + if err.errno in [errno.EPERM, errno.ENOENT]: + pass + else: + raise err diff --git a/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch new file mode 100644 index 000000000000..59adde1eac0d --- /dev/null +++ b/net-nds/nsscache/files/nsscache-0.30-ldapssh.patch @@ -0,0 +1,41 @@ +From cc0f2d7485205d6f9b8c434cb0da292e12448216 Mon Sep 17 00:00:00 2001 +From: Thomas Glanzmann +Date: Wed, 2 Sep 2015 17:01:40 +0200 +Subject: [PATCH] Provider parameter when calling SshkeyUpdateGetter in order + to fix sshkey + +Without this change retrieving the map sshkey results in the following exception: + +(localhost) [~/work/nsscache] nsscache update +Traceback (most recent call last): + File "/usr/bin/nsscache", line 33, in + return_value = nsscache_app.Run(sys.argv[1:], os.environ) + File "/usr/lib/python2.6/site-packages/nss_cache/app.py", line 240, in Run + retval = command_callable().Run(conf=conf, args=args) + File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 230, in Run + force_lock=options.force_lock) + File "/usr/lib/python2.6/site-packages/nss_cache/command.py", line 303, in UpdateMaps + force_write=force_write) + File "/usr/lib/python2.6/site-packages/nss_cache/update/updater.py", line 265, in UpdateFromSource + force_write, location=None) + File "/usr/lib/python2.6/site-packages/nss_cache/update/map_updater.py", line 75, in UpdateCacheFromSource + location=location) + File "/usr/lib/python2.6/site-packages/nss_cache/sources/source.py", line 65, in GetMap + return self.GetSshkeyMap(since) + File "/usr/lib/python2.6/site-packages/nss_cache/sources/ldapsource.py", line 274, in GetSshkeyMap + return SshkeyUpdateGetter().GetUpdates(source=self, +TypeError: __init__() takes exactly 2 arguments (1 given) + +diff --git a/nss_cache/sources/ldapsource.py b/nss_cache/sources/ldapsource.py +index 2af170e..5ffea81 100644 +--- a/nss_cache/sources/ldapsource.py ++++ b/nss_cache/sources/ldapsource.py +@@ -271,7 +271,7 @@ class LdapSource(source.Source): + Returns: + instance of maps.SshkeyMap + """ +- return SshkeyUpdateGetter().GetUpdates(source=self, ++ return SshkeyUpdateGetter(self.conf).GetUpdates(source=self, + search_base=self.conf['base'], + search_filter=self.conf['filter'], + search_scope=self.conf['scope'], diff --git a/net-nds/nsscache/nsscache-0.30-r1.ebuild b/net-nds/nsscache/nsscache-0.30-r1.ebuild new file mode 100644 index 000000000000..e34e87b6cc76 --- /dev/null +++ b/net-nds/nsscache/nsscache-0.30-r1.ebuild @@ -0,0 +1,46 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit eutils distutils-r1 + +DESCRIPTION="commandline tool to sync directory services to local cache" +HOMEPAGE="https://github.com/google/nsscache" +SRC_URI="https://github.com/google/nsscache/archive/version/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" +IUSE="nssdb nsscache" + +DEPEND="${PYTHON_DEPS} + dev-python/python-ldap[${PYTHON_USEDEP}] + dev-python/pycurl[${PYTHON_USEDEP}] + dev-python/bsddb3[${PYTHON_USEDEP}]" +RDEPEND="${DEPEND} + nssdb? ( sys-libs/nss-db ) + nsscache? ( >=sys-auth/libnss-cache-0.10 )" +RESTRICT="test" +S="${WORKDIR}/${PN}-version-${PV}" + +src_prepare() { + find "${S}" -name '*.py' -exec \ + sed -i '/^import bsddb$/s,bsddb,bsddb3 as bsddb,g' \ + {} \+ + distutils-r1_src_prepare +} + +src_install() { + distutils-r1_src_install + + doman nsscache.1 nsscache.conf.5 + dodoc THANKS nsscache.cron CONTRIBUTING.md README.md + exeinto /usr/libexec/nsscache + doexe $FILESDIR/authorized-keys-command.py + + keepdir /var/lib/nsscache +} -- cgit v1.2.3