From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 22 Sep 2009 19:53:14 +0000 (+0200)
Subject: Add sshdistAuthKeysHost
X-Git-Tag: userdir-ldap-0.3.72~2
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=c4154ed547a3875a82f554922544f6d05f80787f

Add sshdistAuthKeysHost

We autogenerate the authorized_keys files for sshdist on db-master.  It
limits the hosts' ssh key to coming from their respective addresses.
Now we can add additional source addresses to accept for this since not
all hosts appear to come from their published address (or have a
published address for that matter).
---

diff --git a/debian/changelog b/debian/changelog
index c8c907e..2d4c538 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,8 +7,13 @@ userdir-ldap (0.3.72XX) Xnstable; urgency=low
     template (it can be different when we read it from input using -n).
   * Tweak templates/welcome-message-60000.
   * ud-generate: don't blow up when a host does not have IP-addresses.
+  * We autogenerate the authorized_keys files for sshdist on db-master.
+    It limits the hosts' ssh key to coming from their respective addresses.
+    Now we can add additional source addresses to accept for this since
+    not all hosts appear to come from their published address (or have
+    a published address for that matter).
 
- -- Peter Palfrader <weasel@debian.org>  Tue, 22 Sep 2009 21:32:39 +0200
+ -- Peter Palfrader <weasel@debian.org>  Tue, 22 Sep 2009 21:51:31 +0200
 
 userdir-ldap (0.3.71) unstable; urgency=low
 
diff --git a/ud-generate b/ud-generate
index 3b9a627..549c744 100755
--- a/ud-generate
+++ b/ud-generate
@@ -986,7 +986,10 @@ def GenSSHKnown(File, mode=None):
      
          for I in x[1]["sshRSAHostKey"]:
             if mode and mode == 'authorized_keys':
-               Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="%s" %s' % (Host, ",".join(HostToIP(x)), I)
+               hosts = HostToIP(x)
+               if 'sshdistAuthKeysHost' in x[1]:
+                  hosts += x[1]['sshdistAuthKeysHost']
+               Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="%s" %s' % (Host, ",".join(hosts), I)
                #Line = 'command="rsync --server --sender -pr . /var/cache/userdir-ldap/hosts/%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding %s' % (Host,I)
             else:
                Line = "%s %s" %(",".join(HostNames + HostToIP(x, False)), I)
diff --git a/ud-host b/ud-host
index 4fc33a8..f6d6c56 100755
--- a/ud-host
+++ b/ud-host
@@ -58,6 +58,7 @@ AttrInfo = {"description": ["Machine Descr.", 1],
             "exportOptions": ["Export-Opts", 18],
             "ipHostNumber": ["IP Address", 19],
             "mXRecord": ["MXRecord", 20],
+            "sshdistAuthKeysHost": ["extra authkeys ip", 21],
             }
 
 AttrPrompt = {"description": ["Purpose of the machine"],
@@ -80,6 +81,7 @@ AttrPrompt = {"description": ["Purpose of the machine"],
               "exportOptions": ["additional export options"],
               "ipHostNumber": ["IP Addresses(es) of the machine"],
               "mXRecord": ["Mail Exchanger for this machine"],
+              "sshdistAuthKeysHost": ["additional hosts for sshdist's authkeys file"],
               };
 
 # Create a map of IDs to desc,value,attr
@@ -142,7 +144,7 @@ def Overview(Attrs):
 
 # Change a single attribute
 def ChangeAttr(Attrs,Attr):
-   if (Attr in ["sponsor", "sshRSAHostKey", "purpose", "allowedGroups", "exportOptions", "ipHostNumber", "mXRecord"]):
+   if (Attr in ["sponsor", "sshRSAHostKey", "purpose", "allowedGroups", "exportOptions", "ipHostNumber", "mXRecord", "sshdistAuthKeysHost"]):
       return MultiChangeAttr(Attrs,Attr);
 
    print "Old value: '%s'" % (GetAttr(Attrs,Attr,""));
diff --git a/userdir-ldap.schema b/userdir-ldap.schema
index 37dc7c5..b1fd76b 100644
--- a/userdir-ldap.schema
+++ b/userdir-ldap.schema
@@ -106,6 +106,7 @@
 #   .38 - mailContentInspectionAction
 #   .39 - allowedGroups
 #   .40 - exportOptions
+#   .41 - sshdistAuthKeysHost
 #
 # .3 - experimental LDAP objectClasses
 #   .1 - debianDeveloper
@@ -488,6 +489,10 @@ attributetype ( 1.3.6.1.4.1.9586.100.4.2.38
 	SUBSTR caseIgnoreIA5SubstringsMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
 
+attributetype ( 1.3.6.1.4.1.9586.100.4.2.41
+	NAME ( 'sshdistAuthKeysHost' )
+	SUP ipHostNumber )
+
 
 # Public object classes
 
@@ -529,7 +534,8 @@ objectclass ( 1.3.6.1.4.1.9586.100.4.3.2
 	MAY ( c $ access $ admin $ architecture $ bandwidth $ description $ disk $
 	      distribution $ l $ machine $ memory $ sponsor $
 	      sponsor-admin $ status $ physicalHost $ ipHostNumber $
-	      sshRSAHostKey $ purpose $ allowedGroups $ exportOptions $ MXRecord
+	      sshRSAHostKey $ purpose $ allowedGroups $ exportOptions $ MXRecord $
+	      sshdistAuthKeysHost
 	) )
 
 objectclass ( 1.3.6.1.4.1.9586.100.4.3.3