further testing needed but this should allow us to have lots of options for restricted shells, users, ssh keys and should fit all of our needs

2008-03-07 11:38:52 -06:00 · 2008-03-07 11:38:52 -06:00 · 141424fe2d
commit 141424fe2d
parent 212f50a487
2 changed files with 62 additions and 10 deletions
--- a/fas/client/fas.conf
+++ b/fas/client/fas.conf
@ -26,7 +26,7 @@ restricted_groups = sysadmin
 ; ssh_restricted_groups: groups that should be restricted by ssh key.  You will
 ; need to disable password based logins in order for this value to have any
 ; security meaning
-ssh_restricted_groups = 
+ssh_restricted_groups = sysadmin-web

 [users]
 ; default shell given to people in [host] groups
@ -39,5 +39,20 @@ home = /home/fedora
 ; deleted this location should be tmpwatched
 home_backup_dir = /tmp/fedora

-ssh_restricted_app = 
+; ssh_restricted_app - This is the path to the restricted shell script.  It
+; will not work automatically for most people though through alterations it
+; is a powerfull way to restrict access to a machine.  An alternative example
+; could be given to people who should only have cvs access on the machine. 
+; setting this value to "/usr/bin/cvs server" would do this.
+ssh_restricted_app = /usr/local/bin/restricted-shell
+
+; restricted_shell - The shell given to users in the ssh_restricted_groups
 restricted_shell = /sbin/nologin
+
+; ssh_restricted_shell - The shell given to users in the ssh_restricted_groups
+ssh_restricted_shell = /bin/bash
+
+; ssh_key_options - Options to be appended to people ssh keys.  Users in the 
+; ssh_restricted_groups will have the keys they uploaded altered when they are
+; installed on this machine, appended with the options below.
+ssh_key_options = no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
--- a/fas/client/fasClient.py
+++ b/fas/client/fasClient.py
@ -140,17 +140,54 @@ class MakeShellAccounts(BaseClient):
    def ssh_key(self, person):
        ''' determine what ssh key a user should have '''
        for group in config.get('host', 'groups').split(','):
+            try:
                if person['username'] in self.group_mapping[group]:
                    return person['ssh_key']
-
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "groups"!' % group
+                continue
+        for group in config.get('host', 'restricted_groups').split(','):
+            try:
+                if person['username'] in self.group_mapping[group]:
+                    return person['ssh_key']
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "restricted_groups"!' % group
+                continue
+        for group in config.get('host', 'ssh_restricted_groups').split(','):
+            try:
+                if person['username'] in self.group_mapping[group]:
+                    command = config.get('users', 'ssh_restricted_app')
+                    options = config.get('users', 'ssh_key_options')
+                    key = 'command="%s",%s %s' % (command, options, person['ssh_key'])
+                    return key
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "ssh_restricted_groups"!' % group
+                continue
+        return 'INVALID\n'
    def shell(self, username):
        ''' Determine what shell username should have '''
        for group in config.get('host', 'groups').split(','):
+            try:
                if username in self.group_mapping[group]:
                    return config.get('users', 'shell')
-        for group in config.get('host', 'restricted_groups'):
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "groups"!' % group
+                continue
+        for group in config.get('host', 'restricted_groups').split(','):
+            try:
                if username in self.group_mapping[group]:
                    return config.get('users', 'restricted_shell')
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "restricted_groups"!' % group
+                continue
+        for group in config.get('host', 'ssh_restricted_groups').split(','):
+            try:
+                if username in self.group_mapping[group]:
+                    return config.get('users', 'ssh_restricted_shell')
+            except KeyError:
+                print >> sys.stderr, '%s is could not be found in fas but was in your config under "restricted_groups"!' % group
+                continue
+
        print >> sys.stderr, 'Could not determine shell for %s.  Defaulting to /sbin/nologin' % username
        return '/sbin/nologin'