Bb authorized keys for

linux/amzn/2.0/foxpass_setup.py

@@ -48,6 +48,7 @@ def main():
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--keep-command', default=False, action='store_true', help='Do not replace sshd key command')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
     # Foxpass SUDOers add-on
@@ -82,7 +83,7 @@ def main():
     write_foxpass_ssh_keys_script(apis, args.api_key)
     run_authconfig(args.ldap_uri, args.base_dn)
     configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout)
-    augment_sshd_config(args.keep_command)
+    augment_sshd_config(args.keep_command, args.allow_authorized_keys_file_for)
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
 
     if args.enable_ldap_sudoers:
@@ -170,7 +171,7 @@ def write_foxpass_ssh_keys_script(apis, api_key):
 
 def run_authconfig(uri, base_dn):
     cmd = 'authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver={uri} --disableldaptls --ldapbasedn={base_dn} --enablemkhomedir --enablecachecreds --update'.format(uri=uri, base_dn=base_dn)
-    print 'Running %s' % cmd
+    print('Running {}'.format(cmd))
     os.system(cmd)
 
 
@@ -224,8 +225,25 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref
     augment_nsswitch()
 
 
-def augment_sshd_config(keep_command):
+def augment_sshd_config(keep_command, allow_authorized_keys_file_for):
     sshd_config_file = '/etc/ssh/sshd_config'
+
+    if not file_contains(sshd_config_file, r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' {}".format(sshd_config_file))
+
+    if not file_contains(sshd_config_file, r'^Match User'):
+        with open(sshd_config_file, "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' {}".format(allow_authorized_keys_file_for, sshd_config_file))
+
     key_command = 'AuthorizedKeysCommand\t\t/usr/local/sbin/foxpass_ssh_keys.sh\n'
     key_command_user = 'AuthorizedKeysCommandUser\troot\n'
     if not file_contains(sshd_config_file, r'^AuthorizedKeysCommand\w'):
@@ -235,8 +253,7 @@ def augment_sshd_config(keep_command):
             clean_authorizedkeyscommand(sshd_config_file)
             write_authorizedkeyscommand(sshd_config_file, key_command, key_command_user)
     else:
-        print 'AuthorizedKeysCommand already set, will not use Foxpass for ssh key verification'
-        return
+        print('AuthorizedKeysCommand already set, will not use Foxpass for ssh key verification')
 
 
 def augment_openldap(bind_dn):

linux/centos/7/foxpass_setup.py

@@ -47,6 +47,7 @@ def main():
     parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access')
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
     # Foxpass SUDOers add-on
@@ -81,7 +82,7 @@ def main():
     write_foxpass_ssh_keys_script(apis, args.api_key)
     run_authconfig(args.ldap_uri, args.base_dn)
     configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout)
-    augment_sshd_config()
+    augment_sshd_config(args.allow_authorized_keys_file_for)
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
 
     if args.enable_ldap_sudoers:
@@ -223,7 +224,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref
     augment_nsswitch()
 
 
-def augment_sshd_config():
+def augment_sshd_config(allow_authorized_keys_file_for):
+    if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config")
+
+    if not file_contains('/etc/ssh/sshd_config', r'^Match User'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for))
+
     if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'):
         with open('/etc/ssh/sshd_config', "a") as w:
             w.write("\n")

linux/centos/8/foxpass_setup.py

@@ -47,6 +47,7 @@ def main():
     parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access')
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
     # Foxpass SUDOers add-on
@@ -81,7 +82,7 @@ def main():
     write_foxpass_ssh_keys_script(apis, args.api_key)
     run_authconfig(args.ldap_uri, args.base_dn)
     configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout)
-    augment_sshd_config()
+    augment_sshd_config(args.allow_authorized_keys_file_for)
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
 
     if args.enable_ldap_sudoers:
@@ -228,7 +229,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref
     augment_nsswitch()
 
 
-def augment_sshd_config():
+def augment_sshd_config(allow_authorized_keys_file_for):
+    if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config")
+
+    if not file_contains('/etc/ssh/sshd_config', r'^Match User'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for))
+
     if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'):
         with open('/etc/ssh/sshd_config', "a") as w:
             w.write("\n")

linux/debian/10/foxpass_setup.py

@@ -49,6 +49,7 @@ def main():
     parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access')
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
 
     args = parser.parse_args()
@@ -82,7 +83,7 @@ def main():
     install_dependencies()
     write_foxpass_ssh_keys_script(apis, args.api_key)
     write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit)
-    augment_sshd_config()
+    augment_sshd_config(args.allow_authorized_keys_file_for)
     augment_pam()
     fix_nsswitch()
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
@@ -228,7 +229,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit):
                                bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit))
 
 
-def augment_sshd_config():
+def augment_sshd_config(allow_authorized_keys_file_for):
+    if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config")
+
+    if not file_contains('/etc/ssh/sshd_config', r'^Match User'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for))
+
     if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'):
         with open('/etc/ssh/sshd_config', "a") as w:
             w.write("\n")

linux/debian/9/foxpass_setup.py

@@ -50,6 +50,7 @@ def main():
     parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access')
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
 
     args = parser.parse_args()
@@ -83,7 +84,7 @@ def main():
     install_dependencies()
     write_foxpass_ssh_keys_script(apis, args.api_key)
     write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit)
-    augment_sshd_config()
+    augment_sshd_config(args.allow_authorized_keys_file_for)
     augment_pam()
     fix_nsswitch()
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
@@ -228,8 +229,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit):
         w.write(content.format(uris='\nuri '.join(uris), basedn=basedn, binddn=binddn,
                                bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit))
 
+def augment_sshd_config(allow_authorized_keys_file_for):
+    if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config")
+
+    if not file_contains('/etc/ssh/sshd_config', r'^Match User'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for))
 
-def augment_sshd_config():
     if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'):
         with open('/etc/ssh/sshd_config', "a") as w:
             w.write("\n")

linux/redhat/foxpass_setup.py

@@ -47,6 +47,7 @@ def main():
     parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access')
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--opt-timeout', default=6, help='option to set the sssd opt timeout')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
     # Foxpass SUDOers add-on
@@ -81,7 +82,7 @@ def main():
     write_foxpass_ssh_keys_script(apis, args.api_key)
     run_authconfig(args.ldap_uri, args.base_dn)
     configure_sssd(bind_dn, args.bind_pw, args.ldaps, args.opt_timeout)
-    augment_sshd_config()
+    augment_sshd_config(args.allow_authorized_keys_file_for)
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
 
     if args.enable_ldap_sudoers:
@@ -228,7 +229,23 @@ def configure_ldap_sudoers(base_dn, sudo_timed, full_refresh_interval, smart_ref
     augment_nsswitch()
 
 
-def augment_sshd_config():
+def augment_sshd_config(allow_authorized_keys_file_for):
+    if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config")
+
+    if not file_contains('/etc/ssh/sshd_config', r'^Match User'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for))
+
     if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'):
         with open('/etc/ssh/sshd_config', "a") as w:
             w.write("\n")

linux/ubuntu/20.04/foxpass_setup.py

@@ -48,6 +48,7 @@ def main():
     parser.add_argument('--sudoers-group', default='foxpass-sudo', type=str, help='sudoers group with root access')
     parser.add_argument('--update-sudoers', default=False, action='store_true', help='update 95-foxpass-sudo with new group')
     parser.add_argument('--require-sudoers-pw', default=False, action='store_true', help='set sudoers default password requirement')
+    parser.add_argument('--allow-authorized-keys-file-for', default='*', type=str, help='allow authorized keys file for given user; by default all users are allowed. specify multiple users with comma.')
     parser.add_argument('--debug', default=False, action='store_true', help='Turn on debug mode')
     # Foxpass SUDOers add-on
     parser.add_argument('--enable-ldap-sudoers', default=False, action='store_true', help='Enable Foxpass SUDOers')
@@ -86,7 +87,7 @@ def main():
     install_dependencies()
     write_foxpass_ssh_keys_script(apis, args.api_key)
     write_nslcd_conf(uris, args.base_dn, binddn, args.bind_pw, args.ldap_connections, args.idle_timelimit)
-    augment_sshd_config()
+    augment_sshd_config(args.allow_authorized_keys_file_for)
     augment_pam()
     fix_nsswitch()
     fix_sudo(args.sudoers_group, args.require_sudoers_pw, args.update_sudoers)
@@ -248,7 +249,23 @@ def write_nslcd_conf(uris, basedn, binddn, bindpw, threads, idle_timelimit):
                                bindpw=bindpw, sslstatus=sslstatus, threads=threads, idle_timelimit=idle_timelimit))
 
 
-def augment_sshd_config():
+def augment_sshd_config(allow_authorized_keys_file_for):
+    if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysFile'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("AuthorizedKeysFile\tNone\n")
+    else:
+        os.system("sed -i 's/^AuthorizedKeysFile.*/AuthorizedKeysFile\tNone/' /etc/ssh/sshd_config")
+
+    if not file_contains('/etc/ssh/sshd_config', r'^Match User'):
+        with open('/etc/ssh/sshd_config', "a") as w:
+            w.write("\n")
+            w.write("Match User {}\n".format(allow_authorized_keys_file_for))
+            w.write("\tAuthorizedKeysFile .ssh/authorized_keys\n")
+
+    # dynamically update the Match User value
+    os.system("sed -i 's/^Match User.*/Match User {}/' /etc/ssh/sshd_config".format(allow_authorized_keys_file_for))
+
     if not file_contains('/etc/ssh/sshd_config', r'^AuthorizedKeysCommand\w'):
         with open('/etc/ssh/sshd_config', "a") as w:
             w.write("\n")