X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fportforwarder%2Ftemplates%2Fauthorized_keys.erb;h=ec11e54f67b6e5fec529f1e264ef0f1b16c20cc3;hb=6f2e5fc86e49c12b12eef39fc69e0e810a32c318;hp=c9b69d867e1b65d5ec4b3b5642e90cc6ac84cbdc;hpb=4e4e2cd6e062a647d2bd02e58050c6fabd03e978;p=mirror%2Fdsa-puppet.git diff --git a/modules/portforwarder/templates/authorized_keys.erb b/modules/portforwarder/templates/authorized_keys.erb index c9b69d867..ec11e54f6 100644 --- a/modules/portforwarder/templates/authorized_keys.erb +++ b/modules/portforwarder/templates/authorized_keys.erb @@ -1,24 +1,50 @@ +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## + <%= + +require 'digest/sha1' +def get_local_ip_addr(host) + hash = Digest::SHA1.digest(host) + return '127.101.%d.%d'%[hash[0].ord, hash[1].ord] +end + +def getportforwarderkey(host) + key = nil + begin + facts = YAML.load(File.open("/var/lib/puppet/yaml/facts/#{host}.yaml").read) + return facts.values['portforwarder_key'] + rescue Exception => e + end + return key +end + + lines = [] config = YAML.load(File.open('/etc/puppet/modules/portforwarder/misc/config.yaml').read) config.each_pair do |sourcehost, services| + allowed_ports = [] + ##lines << "# sourcehost is #{sourcehost}" services.each do |service| ##lines << "# targethost is #{service['target_host']}, my hostname #{hostname}, fqdn is #{fqdn}" - next if service['target_host'] != fqdn + next if service['target_host'] != @fqdn + allowed_ports << service['target_port'] if service['target_port'] + end - sshkey = nil - remote_ip = keyinfo[sourcehost][0]['ipHostNumber'].join(',') - forward_to_port = service['target_port'] - local_bind = '127.0.0.2' + if allowed_ports.length > 0 + sshkey = getportforwarderkey(sourcehost) + remote_ip = scope.lookupvar('site::allnodeinfo')[sourcehost]['ipHostNumber'].join(',') + local_bind = get_local_ip_addr(sourcehost) - lines << "# from #{sourcehost} on local port #{service['source_bind_port']}" - if remote_ip.nil? or forward_to_port.nil? or local_bind.nil? - #if sshkey.nil? or remote_ip.nil? or forward_to_port.nil? or local_bind.nil? + lines << "# from #{sourcehost}" + if sshkey.nil? or remote_ip.nil? or local_bind.nil? lines << "# insufficient config values" else - #lines << "from=\"#{remote_ip}\",command=\"/bin/nc -s #{local_bind} 127.0.0.1 #{forward_to_port}\",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding #{sshkey}" - lines << "#from=\"#{remote_ip}\",command=\"/bin/nc -s #{local_bind} 127.0.0.1 #{forward_to_port}\",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding " + command = "/usr/bin/portforwarder-ssh-wrap #{sourcehost} #{local_bind} #{allowed_ports.join(' ')}" + lines << "from=\"#{remote_ip}\",command=\"#{command}\",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding #{sshkey}" end end end