Added public key authentication from ldap

master
noah metz 2023-12-04 13:03:23 -07:00
parent 73cb2895b5
commit da44d9c068
2 changed files with 55 additions and 5 deletions

@ -13,9 +13,9 @@ VM_CPU ?= 4
%: %.qcow2 %: %.qcow2
$(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf)) $(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf))
qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin qemu-system-x86_64 -nic bridge,br=virbr0 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin
.PHONY: % .PHONY: %
%-ro: %.scm %-ro: %.scm
$(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $< --expose=$(PWD)/pki=/var/lib/openvpn)) $(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $<))
$(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci $(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic bridge,br=virbr0

@ -1,6 +1,8 @@
(define-module (metznet system base-system) (define-module (metznet system base-system)
#:use-module (guix gexp) #:use-module (guix gexp)
#:use-module (metznet golang)
#:use-module (gnu bootloader) #:use-module (gnu bootloader)
#:use-module (gnu bootloader grub) #:use-module (gnu bootloader grub)
#:use-module (gnu system accounts) #:use-module (gnu system accounts)
@ -251,11 +253,59 @@
"LDAP_AUTHTOK") "LDAP_AUTHTOK")
%unset-value)))))))) %unset-value))))))))
(define pubkey-command
(program-file "pubkey-command"
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils) (ice-9 format) (ice-9 popen) (ice-9 textual-ports))
(define* (shell-command-to-string
cmd)
(catch 'shell-command-error
(lambda ()
(let* ((port (open-pipe
cmd
OPEN_READ))
(str (get-string-all
port))
(wtpd (close-pipe
port))
(xval (status:exit-val
wtpd)))
(if (or (eqv? xval #f)
(> xval 0))
(throw 'shell-command-error
cmd str))
str))
(lambda (key cmd str)
(simple-format #t
"ERROR: in command ~a\nstring: ~a\n"
cmd str)
(throw 'error-in-shell-command-to-string
cmd str))))
(display (shell-command-to-string (string-join
(list #$(file-append
metznet-pubkey
"/bin/pubkey")
"ldaps://ldap.metznet.ca"
"uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca"
#$(or (getenv "LDAP_AUTHTOK") "")
"dc=metznet,dc=ca"
(list-ref (command-line) 1))
" ")))))))
(define %metznet-services (define %metznet-services
(list (service openssh-service-type (list (service openssh-service-type
(openssh-configuration (password-authentication? #f) (openssh-configuration (password-authentication? #f)
(extra-content (extra-content #~(string-join
"KerberosAuthentication yes"))) (list
"AuthorizedKeysCommandUser root"
(string-append
"AuthorizedKeysCommand "
#$pubkey-command)
"KerberosAuthentication yes")
"\n"))))
(service krb5-service-type %metznet-krb5-config) (service krb5-service-type %metznet-krb5-config)
(service pam-krb5-service-type (service pam-krb5-service-type
(pam-krb5-configuration (pam-krb5 pam-krb5) (pam-krb5-configuration (pam-krb5 pam-krb5)