blob: b3336e30db2f0386c0379c4926514509168f42ee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
. ${BUILDFILE%/*}/common.sh
pkgver=20170203.3
package() {
preamble
# #### Parabola hackers
depends=(parabola-hackers-nshd openssh)
# sshd is configured to force the use of keys (no password-based
# login), and to use [parabola-hackers][] `ssh-list-authorized-keys`
# in addition to checking `~/.ssh/authorized_keys`.
# `ssh-list-authorized-keys` returns the authorized keys from the
# [hackers.git][] checkout in `/var/lib/hackers-git` (the path to the
# checkout is configured in `/etc/parabola-hackers.yml`).
#
# [parabola-hackers]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers/
# [hackers.git]: https://git.parabola.nu/hackers.git/
add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/ssh/sshd_config.holoscript <<EOF
#!/bin/sh
{
sed -e '/^#AuthorizedKeysCommand\s/ aAuthorizedKeysCommand /usr/lib/parabola-hackers/ssh-list-authorized-keys' \
-e '/^#AuthorizedKeysCommandUser\s/ aAuthorizedKeysCommandUser nshd' \
-e '/^#PasswordAuthentication\s/ aPasswordAuthentication no'
} | awk '\$0==""||!x[\$0]++'
EOF
# NSS and PAM have been configured to use the ldap modules that are
# part of [nss-pam-ldapd][].
#
# [nss-pam-ldapd]: https://www.parabola.nu/packages/community/x86_64/nss-pam-ldapd/
add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/nsswitch.conf.holoscript <<EOF
#!/bin/sh
sed 's/ ldap//' | sed -r '/^(passwd|group|shadow):/s/(files|compat)/files ldap/'
EOF
# However, instead of running the normal `nslcd` LDAP client daemon,
# the system has ben configured to run the [parabola-hackers-nshd][]
# `nshd` daemon, which reads user infomation from the same
# `hackers.git` checkout (configured the same way). This way we dn't
# have to worry about keeping `/etc/passwd` in sync with
# `hackers.git`. To this end, PAM has also been configured to create
# a users home directory when they log in if it doesn't already exist.
# Because `hackers.git` doesn't store any password information, `nshd`
# stores password hashes in `/etc/nshd/shadow`.
#
# [parabola-hackers-nshd]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers-nshd/
add-unit etc/systemd/system/sockets.target.wants/nshd.socket
add-unit etc/systemd/system/dbus.service.wants/nshd.service # (temporary [systemd bug workaround][])
#
# [sytemd bug workaround][]: https://projects.parabola.nu/packages/parabola-hackers.git/tree/nshd.service.in#n19
# Sometimes after something fails in PAM, you get a "User not known to
# the underlying authentication module" message. For exaple, the
# `pam_ldap.so.2` failed because you typed your password wrong, but
# the PAM caller thinks `pam_ldap` failed because it didn't "own" the
# user. I think that it's just a bug in PAM's message selection. But
# (TODO) we should actually track it down.
postamble
}
|
