[__ssh_authorized_keys] add --remove-unknown parameter

This commit is contained in:
ander 2020-05-28 23:31:13 +03:00
parent abac79d4a5
commit 29c0180204
4 changed files with 44 additions and 1 deletions

View file

@ -0,0 +1,8 @@
#!/bin/sh -e
file="$( . "$__type_explorer/file" )"
if [ -f "$file" ]
then
cat "$file"
fi

View file

@ -60,6 +60,9 @@ nofile
Don't manage existence, ownership and permissions of the the authorized_keys Don't manage existence, ownership and permissions of the the authorized_keys
file. file.
remove-unknown
Remove undefined keys.
EXAMPLES EXAMPLES
-------- --------
@ -70,6 +73,12 @@ EXAMPLES
__ssh_authorized_keys root \ __ssh_authorized_keys root \
--key "$(cat ~/.ssh/id_rsa.pub)" --key "$(cat ~/.ssh/id_rsa.pub)"
# same as above, but make sure your key is only key in
# root's authorized_keys file
__ssh_authorized_keys root \
--key "$(cat ~/.ssh/id_rsa.pub)" \
--remove-unknown
# allow key to login as user-name # allow key to login as user-name
__ssh_authorized_keys user-name \ __ssh_authorized_keys user-name \
--key "ssh-rsa AXYZAAB3NzaC1yc2..." --key "ssh-rsa AXYZAAB3NzaC1yc2..."

View file

@ -55,8 +55,12 @@ _cksum() {
echo "$1" | cksum | cut -d' ' -f 1 echo "$1" | cksum | cut -d' ' -f 1
} }
_type_and_key() {
echo "$1" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }'
}
while read -r key; do while read -r key; do
type_and_key="$(echo "$key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" type_and_key="$( _type_and_key "$key" )"
object_id="$(_cksum "$file")-$(_cksum "$type_and_key")" object_id="$(_cksum "$file")-$(_cksum "$type_and_key")"
set -- "$object_id" set -- "$object_id"
set -- "$@" --file "$file" set -- "$@" --file "$file"
@ -72,3 +76,24 @@ while read -r key; do
# Ensure __ssh_authorized_key does not read stdin # Ensure __ssh_authorized_key does not read stdin
__ssh_authorized_key "$@" < /dev/null __ssh_authorized_key "$@" < /dev/null
done < "$__object/parameter/key" done < "$__object/parameter/key"
if [ -f "$__object/parameter/remove-unknown" ] &&
[ -s "$__object/explorer/keys" ]
then
while read -r key
do
type_and_key="$( _type_and_key "$key" )"
if grep -Fq "$type_and_key" "$__object/parameter/key"
then
continue
fi
__ssh_authorized_key "remove-$( _cksum "$file$key" )" \
--file "$file" \
--key "$key" \
--state absent \
< /dev/null
done \
< "$__object/explorer/keys"
fi

View file

@ -1,2 +1,3 @@
noparent noparent
nofile nofile
remove-unknown