From 95ab68a2723390b531de76c5a39e88692d41dceb Mon Sep 17 00:00:00 2001 From: Dennis Camera Date: Tue, 1 Oct 2019 08:26:59 +0200 Subject: [PATCH 1/2] [__ssh_authorized_keys] Fall back to /etc files if getent(1) is not available Some (embedded) systems don't provide getent(1). The workaround parses /etc/passwd and /etc/group under the assumption that these sysems only use local users and groups. --- .../type/__ssh_authorized_keys/explorer/file | 26 +++++++++++++++-- .../type/__ssh_authorized_keys/explorer/group | 29 +++++++++++++++++-- 2 files changed, 50 insertions(+), 5 deletions(-) diff --git a/cdist/conf/type/__ssh_authorized_keys/explorer/file b/cdist/conf/type/__ssh_authorized_keys/explorer/file index 5a02721a..09d55f6f 100755 --- a/cdist/conf/type/__ssh_authorized_keys/explorer/file +++ b/cdist/conf/type/__ssh_authorized_keys/explorer/file @@ -1,6 +1,7 @@ #!/bin/sh # # 2014 Steven Armstrong (steven-cdist at armstrong.cc) +# 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch) # # This file is part of cdist. # @@ -21,7 +22,28 @@ if [ -f "$__object/parameter/file" ]; then cat "$__object/parameter/file" else - owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")" - home=$(getent passwd "$owner" | cut -d':' -f 6) + if [ -s "$__object/parameter/owner" ] + then + owner=$(cat "$__object/parameter/owner") + else + owner="$__object_id" + fi + + if command -v getent >/dev/null + then + owner_line=$(getent passwd "$owner") + else + case $owner + in + [0-9][0-9]*) + owner_line=$(awk -F: "\$3 == \"${owner}\" { print }" /etc/passwd) + ;; + *) + owner_line=$(awk -F: "\$1 == \"${owner}\" { print }" /etc/passwd) + ;; + esac + fi + + home=$(echo "$owner_line" | cut -d':' -f6) echo "$home/.ssh/authorized_keys" fi diff --git a/cdist/conf/type/__ssh_authorized_keys/explorer/group b/cdist/conf/type/__ssh_authorized_keys/explorer/group index 72a4e314..1bd14840 100755 --- a/cdist/conf/type/__ssh_authorized_keys/explorer/group +++ b/cdist/conf/type/__ssh_authorized_keys/explorer/group @@ -1,6 +1,7 @@ #!/bin/sh # # 2014 Steven Armstrong (steven-cdist at armstrong.cc) +# 2019 Dennis Camera (dennis.camera at ssrq-sds-fds.ch) # # This file is part of cdist. # @@ -18,6 +19,28 @@ # along with cdist. If not, see . # -owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")" -gid="$(getent passwd "$owner" | cut -d':' -f 4)" -getent group "$gid" || true +if [ -s "$__object/parameter/owner" ] +then + owner=$(cat "$__object/parameter/owner") +else + owner="$__object_id" +fi + +if command -v getent >/dev/null +then + gid=$(getent passwd "$owner" | cut -d':' -f4) + getent group "$gid" || true +else + # Fallback to local file scanning + case $owner + in + [0-9][0-9]*) + gid=$(awk -F: "\$3 == \"${owner}\" { print $4 }" /etc/passwd) + ;; + *) + gid=$(awk -F: "\$1 == \"${owner}\" { print $4 }" /etc/passwd) + ;; + esac + + awk -F: "\$3 == \"$gid\" { print }" /etc/group +fi From 259aa13b6ab90a12baebbacbcf1ce5d5c4cce06b Mon Sep 17 00:00:00 2001 From: Dennis Camera Date: Tue, 1 Oct 2019 11:06:02 +0200 Subject: [PATCH 2/2] [__ssh_authorized_keys] Better path checks --- .../type/__ssh_authorized_keys/explorer/file | 58 +++++++++++-------- .../conf/type/__ssh_authorized_keys/manifest | 6 ++ 2 files changed, 41 insertions(+), 23 deletions(-) diff --git a/cdist/conf/type/__ssh_authorized_keys/explorer/file b/cdist/conf/type/__ssh_authorized_keys/explorer/file index 09d55f6f..017bcb38 100755 --- a/cdist/conf/type/__ssh_authorized_keys/explorer/file +++ b/cdist/conf/type/__ssh_authorized_keys/explorer/file @@ -20,30 +20,42 @@ # if [ -f "$__object/parameter/file" ]; then - cat "$__object/parameter/file" + cat "$__object/parameter/file" else - if [ -s "$__object/parameter/owner" ] - then - owner=$(cat "$__object/parameter/owner") - else - owner="$__object_id" - fi + if [ -s "$__object/parameter/owner" ] + then + owner=$(cat "$__object/parameter/owner") + else + owner="$__object_id" + fi - if command -v getent >/dev/null - then - owner_line=$(getent passwd "$owner") - else - case $owner - in - [0-9][0-9]*) - owner_line=$(awk -F: "\$3 == \"${owner}\" { print }" /etc/passwd) - ;; - *) - owner_line=$(awk -F: "\$1 == \"${owner}\" { print }" /etc/passwd) - ;; - esac - fi + if command -v getent >/dev/null + then + owner_line=$(getent passwd "$owner") + elif [ -f /etc/passwd ] + then + case $owner + in + [0-9][0-9]*) + owner_line=$(awk -F: "\$3 == \"${owner}\" { print }" /etc/passwd) + ;; + *) + owner_line=$(awk -F: "\$1 == \"${owner}\" { print }" /etc/passwd) + ;; + esac + fi - home=$(echo "$owner_line" | cut -d':' -f6) - echo "$home/.ssh/authorized_keys" + if [ "$owner_line" ] + then + home=$(echo "$owner_line" | cut -d':' -f6) + fi + + if [ ! -d "$home" ] + then + # Don't know how to determine user's home directory, fall back to ~ + home="~$owner" + command -v realpath >/dev/null && home=$(realpath "$home") + fi + + [ -d "$home" ] && echo "$home/.ssh/authorized_keys" fi diff --git a/cdist/conf/type/__ssh_authorized_keys/manifest b/cdist/conf/type/__ssh_authorized_keys/manifest index b507c7ff..b9f0582e 100755 --- a/cdist/conf/type/__ssh_authorized_keys/manifest +++ b/cdist/conf/type/__ssh_authorized_keys/manifest @@ -23,6 +23,12 @@ owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")" state="$(cat "$__object/parameter/state" 2>/dev/null)" file="$(cat "$__object/explorer/file")" +if [ ! -f "$__object/parameter/nofile" ] && [ -z "$file" ] +then + echo "Cannot determine path of authorized_keys file" >&2 + exit 1 +fi + if [ ! -f "$__object/parameter/noparent" ] || [ ! -f "$__object/parameter/nofile" ]; then group="$(cut -d':' -f 1 "$__object/explorer/group")" if [ -z "$group" ]; then