blob: ef3371b9c5d01b0d057e5a8e81e91a463caf18e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
This repository contains tools for working with hackers.git
information.
The most important 4 programs are:
- `meta-check`: sanity-check hackers.git data
- `ssh-list-authorized-keys`: configure sshd to use this for
AuthorizedKeysCommand to have it get SSH keys directly from
hackers.git
- `postfix-generate-virtual-map`: generate a virtual map
for Postfix that provides email aliases for users in hackers.git
- `pacman-make-keyring` generate a tarball with the pacman-keyring
files for the users in hackers.git
- `nshd` implements the nshld protocol of nss-pam-ldapd, but talks to
hackers.git instead of LDAP.
The others are:
- `meta-normalize-stdio`: used by `meta-check`
- `meta-cat`: used by `nshd`
- `pgp-list-keyids`: used by `pacman-make-keyring`
- `uid-map`: used by `pacman-make-keyring`
Each of the programs looks for `parabola-hackers.yml` in he current
directory (except for `meta-normalize-stdio`, which has no
configuration).
# Configuration
The main two things programs at are `yamldir` which tells them where
to find `hackers.git/users`, and `groupgroups` which augments the
`groups` array for each user.
## pacman-make-keyring
`pacman-make-keyring` also looks at `keyring_cachedir` to see where to
store files that can be cached between versions of the keyring.
## ssh-list-authorized-keys
`ssh-list-authorized-keys` also looks at `ssh_pseudo_users`.
System users (`/etc/passwd`) mentioned in this variable may be SSH'ed
into by hackers.git users who are in a group of the same name.
## nshd
`nshd` also looks at `pam_password_prohibit_message` to decide what to
say when prohibiting a user from being changed via PAM.
# Usage
## meta-check
Just run it, it will report any problems with hackers.git data.
## ssh-list-authorized-keys
Configure `sshd_config:AuthorizedKeysCommand` to be this program.
`sshd` will run it as `ssh-list-authorized-keys ${USERNAME}`
## postfix-generate-virtual-map
postfix-show-virtual-map > /etc/postfix/virtual-parabola.nu
postmap hash:/etc/postfix/virtual-parabola.nu
## pacman-make-keyring
pacman-make-keyring V=$(date -u +%Y%m%d)
scp parabola-keyring-$(date -u +%Y%m%d).tar.gz repo.parabola.nu:/srv/repo/main/other/parabola-keyring/
or
cd $(. "$(librelib conf)" && load_files makepkg && echo "$SRCDEST")
pacman-make-keyring V=$(date -u +%Y%m%d)
In the latter case, it would get uploaded automagically by
`librerelease` when you release a parabola-keyring with the matching
version.
## nshd
Either reboot, or run `systemd-sysusers` to create the nshd user.
Add `ldap` to the `passwd`, `group`, and `shadow` fields in
`/etc/nsswitch.conf`:
passwd: files ldap
group: files ldap
shadow: files ldap
Then enable and start `nshd.socket`:
systemctl enable --now nshd.socket
----
Copyright (C) 2014, 2016 Luke Shumaker
This documentation file is placed into the public domain. If that is
not possible in your legal system, I grant you permission to use it in
absolutely every way that I can legally grant to you.
|
