summaryrefslogtreecommitdiff
path: root/config-mgmt-nshd.PKGBUILD
diff options
context:
space:
mode:
Diffstat (limited to 'config-mgmt-nshd.PKGBUILD')
-rw-r--r--config-mgmt-nshd.PKGBUILD61
1 files changed, 61 insertions, 0 deletions
diff --git a/config-mgmt-nshd.PKGBUILD b/config-mgmt-nshd.PKGBUILD
new file mode 100644
index 0000000..b3336e3
--- /dev/null
+++ b/config-mgmt-nshd.PKGBUILD
@@ -0,0 +1,61 @@
+. ${BUILDFILE%/*}/common.sh
+pkgver=20170203.3
+
+package() {
+preamble
+# #### Parabola hackers
+
+depends=(parabola-hackers-nshd openssh)
+
+# sshd is configured to force the use of keys (no password-based
+# login), and to use [parabola-hackers][] `ssh-list-authorized-keys`
+# in addition to checking `~/.ssh/authorized_keys`.
+# `ssh-list-authorized-keys` returns the authorized keys from the
+# [hackers.git][] checkout in `/var/lib/hackers-git` (the path to the
+# checkout is configured in `/etc/parabola-hackers.yml`).
+#
+# [parabola-hackers]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers/
+# [hackers.git]: https://git.parabola.nu/hackers.git/
+add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/ssh/sshd_config.holoscript <<EOF
+#!/bin/sh
+{
+ sed -e '/^#AuthorizedKeysCommand\s/ aAuthorizedKeysCommand /usr/lib/parabola-hackers/ssh-list-authorized-keys' \
+ -e '/^#AuthorizedKeysCommandUser\s/ aAuthorizedKeysCommandUser nshd' \
+ -e '/^#PasswordAuthentication\s/ aPasswordAuthentication no'
+} | awk '\$0==""||!x[\$0]++'
+EOF
+
+# NSS and PAM have been configured to use the ldap modules that are
+# part of [nss-pam-ldapd][].
+#
+# [nss-pam-ldapd]: https://www.parabola.nu/packages/community/x86_64/nss-pam-ldapd/
+add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/nsswitch.conf.holoscript <<EOF
+#!/bin/sh
+sed 's/ ldap//' | sed -r '/^(passwd|group|shadow):/s/(files|compat)/files ldap/'
+EOF
+
+# However, instead of running the normal `nslcd` LDAP client daemon,
+# the system has ben configured to run the [parabola-hackers-nshd][]
+# `nshd` daemon, which reads user infomation from the same
+# `hackers.git` checkout (configured the same way). This way we dn't
+# have to worry about keeping `/etc/passwd` in sync with
+# `hackers.git`. To this end, PAM has also been configured to create
+# a users home directory when they log in if it doesn't already exist.
+# Because `hackers.git` doesn't store any password information, `nshd`
+# stores password hashes in `/etc/nshd/shadow`.
+#
+# [parabola-hackers-nshd]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers-nshd/
+add-unit etc/systemd/system/sockets.target.wants/nshd.socket
+add-unit etc/systemd/system/dbus.service.wants/nshd.service # (temporary [systemd bug workaround][])
+#
+# [sytemd bug workaround][]: https://projects.parabola.nu/packages/parabola-hackers.git/tree/nshd.service.in#n19
+
+# Sometimes after something fails in PAM, you get a "User not known to
+# the underlying authentication module" message. For exaple, the
+# `pam_ldap.so.2` failed because you typed your password wrong, but
+# the PAM caller thinks `pam_ldap` failed because it didn't "own" the
+# user. I think that it's just a bug in PAM's message selection. But
+# (TODO) we should actually track it down.
+
+postamble
+}