StephanSainleger
/
0k-charms
forked from 0k/0k-charms
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
437 Commits
13 Branches
0 Tags
107 MiB
Tree: 57fd9d0abb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '57fd9d0abb'
${ noResults }
0k-charms/rsync-backup-target/build/src/usr/local/sbin/ssh-key

134 lines
3.4 KiB
Raw Normal View History

new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
fix: [rsync-backup-target] disallow using same key for different ident in any admin account As key will map authorization to a specified directory, we can't allow having 2 keys pointing to 2 different directories. This must be enforced. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
fix: [rsync-backup-target] disallow using same key for different ident in any admin account As key will map authorization to a specified directory, we can't allow having 2 keys pointing to 2 different directories. This must be enforced. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
fix: [rsync-backup-target] disallow using same key for different ident in any admin account As key will map authorization to a specified directory, we can't allow having 2 keys pointing to 2 different directories. This must be enforced. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] backup groups allow key management delegation Each backup endpoint is now part of a backup group. Each backup group can be managed by ad-hoc and separate account. Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
new: [rsync-backup-target] allow dynamic management of backup keys Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
4 years ago
  1. #!/bin/bash
  3. RSYNC_KEY_PATH=/etc/rsync/keys
  6. ANSI_ESC=$'\e['
  8. NORMAL="${ANSI_ESC}0m"
  10. GRAY="${ANSI_ESC}1;30m"
  11. RED="${ANSI_ESC}1;31m"
  12. GREEN="${ANSI_ESC}1;32m"
  13. YELLOW="${ANSI_ESC}1;33m"
  14. BLUE="${ANSI_ESC}1;34m"
  15. PINK="${ANSI_ESC}1;35m"
  16. CYAN="${ANSI_ESC}1;36m"
  17. WHITE="${ANSI_ESC}1;37m"
  19. DARKGRAY="${ANSI_ESC}0;30m"
  20. DARKRED="${ANSI_ESC}0;31m"
  21. DARKGREEN="${ANSI_ESC}0;32m"
  22. DARKYELLOW="${ANSI_ESC}0;33m"
  23. DARKBLUE="${ANSI_ESC}0;34m"
  24. DARKPINK="${ANSI_ESC}0;35m"
  25. DARKCYAN="${ANSI_ESC}0;36m"
  26. DARKWHITE="${ANSI_ESC}0;37m"
  29. ssh-key-ls() {
  30. local label="$1" f content
  31. for f in "${RSYNC_KEY_PATH}"/backup/"$label"/*.pub; do
  32. [ -e "$f" ] || continue
  33. ident=${f##*/}
  34. ident=${ident%.pub}
  35. content=$(cat "$f")
  36. key=${content#* }
  37. key=${key% *}
  38. printf "${DARKGRAY}..${NORMAL}%24s ${DARKCYAN}%s${NORMAL}\n" "${key: -24}" "$ident"
  39. done
  40. }
  43. ssh-key-rm() {
  44. local label="$1" ident="$2" delete
  46. delete="${RSYNC_KEY_PATH}/backup/$label/$ident.pub"
  47. if ! [ -e "$delete" ]; then
  48. echo "Error: key '$ident' not found." >&2
  49. return 1
  50. fi
  51. rm "$delete"
  53. /usr/local/sbin/ssh-update-keys
  54. }
  57. ssh-key-add() {
  58. local label="$1" type="$2" key="$3" email="$4"
  60. [ "$type" == "ssh-rsa" ] || {
  61. echo "Error: expecting ssh-rsa key type" >&2
  62. return 1
  63. }
  65. ## ident are unique by construction (they are struct keys)
  66. ## but keys need to be also unique
  67. declare -A keys
  68. content="$type $key $email"
  69. ident="${email##*@}"
  70. target="${RSYNC_KEY_PATH}/backup/$label/$ident.pub"
  72. ## is key used already ? As key give access to a specified subdir,
  73. ## we need to make sure it is unique.
  75. for key_file in "${RSYNC_KEY_PATH}/backup/"*/*.pub; do
  76. [ -e "$key_file" ] || continue
  77. key_content=$(cat "$key_file")
  78. if [ "$type $key" == "${key_content% *}" ]; then
  79. if [ "$key_file" == "$target" ]; then
  80. echo "Provided key already present for '$ident'." >&2
  81. return 0
  82. elif [[ "$key_file" == "${RSYNC_KEY_PATH}/"*"/$label/"*.pub ]]; then
  83. type=${key_file#"${RSYNC_KEY_PATH}/"}
  84. type=${type%"/$label/"*.pub}
  85. key_ident=${key_file##*/}
  86. key_ident=${key_ident%.pub}
  87. echo "Provided key already used as $type key for '$key_ident'." >&2
  88. return 1
  89. else
  90. olabel=${key_file#"${RSYNC_KEY_PATH}/"*/}
  91. olabel=${olabel%/*.pub}
  92. echo "Specified key is already used by '$olabel' account, please pick another one." >&2
  93. return 1
  94. fi
  95. fi
  96. done
  98. mkdir -p "${target%/*}"
  99. if [ -e "$target" ]; then
  100. echo "Replacing key for '$ident'." >&2
  101. elif [ -e "${RSYNC_KEY_PATH}/"*"/"*"/$ident.pub" ]; then
  102. olabel=("${RSYNC_KEY_PATH}/"*"/"*"/$ident.pub")
  103. olabel="${olabel[0]}"
  104. olabel=${olabel#"${RSYNC_KEY_PATH}/"*/}
  105. olabel=${olabel%/*.pub}
  106. echo "ident '$ident' is already reserved by '$olabel', please pick another one." >&2
  107. return 1
  108. fi
  109. echo "$content" > "$target"
  111. /usr/local/sbin/ssh-update-keys
  112. }
  117. case "$1" in
  118. "add")
  119. shift
  120. ssh-key-add "$@"
  121. ;;
  122. "rm")
  123. shift
  124. ssh-key-rm "$@"
  125. ;;
  126. "ls")
  127. shift
  128. ssh-key-ls "$@"
  129. ;;
  130. *)
  131. echo "Unknown command '$1'."
  132. ;;
  133. esac