1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
This repository contains tools for working with hackers.git
information.
The most important 4 programs are:
- `meta-check`: sanity-check hackers.git data
- `ssh-list-authorized-keys`: configure sshd to use this for
AuthorizedKeysCommand to have it get SSH keys directly from
hackers.git
- `postfix-generate-virtual-map`: generate a virtual map
for Postfix that provides email aliases for users in hackers.git
- `pacman-make-keyring` generate a tarball with the pacman-keyring
files for the users in hackers.git
- `nshd` implements the nshld protocol of nss-pam-ldapd, but talks to
hackers.git instead of LDAP.
The others are:
- `meta-cat`: used by `nshd`
- `meta-normalize-stdio`: used by `meta-check`
- `nshd-setuid`: used by `nshd`
- `nshd-tester`: used to test `nshd`
- `pgp-list-keyids`: used by `pacman-make-keyring`
- `uid-map`: used by `pacman-make-keyring`
Each of the programs looks for `parabola-hackers.yml` in the current
directory (except for `meta-normalize-stdio`, which has no
configuration).
# Configuration
The main two things programs at are `yamldir` which tells them where
to find `hackers.git/users`, and `groupgroups` which augments the
`groups` array for each user. You may override the setting for
`yamldir` by setting the environment variable
`PARABOLA_HACKERS_YAMLDIR`
## pacman-make-keyring
`pacman-make-keyring` also looks at `keyring_cachedir` to see where to
store files that can be cached between versions of the keyring.
## ssh-list-authorized-keys
`ssh-list-authorized-keys` also looks at `ssh_pseudo_users`.
System users (`/etc/passwd`) mentioned in this variable, may be SSH'ed
into by hackers.git users who are in a hackers.git "group" of the same name.
Note that in this context, "group" is in quotes; because these are abstract
capability groups as defined in `parabola-hackers.yml`, which do not
necessarily correspond to system groups on any server.
## nshd
`nshd` also looks at `pam_password_prohibit_message` to decide what to
say when prohibiting a user from being changed via PAM.
# Compiling
Compile the tools:
$ git submodule init
$ git submodule update
$ YYYYMMDD=$(date +%Y%m%d)
$ sed "s|\(VERSION *= *\).*|\1$YYYYMMDD|" config.mk
$ git commit -m 'prepare release' config.mk
$ make && make check && make dist
Build and publish the source-ball and package:
* sign parabola-hackers-*.tar.gz with GPG
* upload the source-ball and signature to the repo server
under the 'other/parabola-hackers/' directory
* set 'pkgver' in libre/parabola-hackers/PKGBUILD
to the same $YYYYMMDD as config.mk above
* ensure that 'validpgpkeys' in libre/parabola-hackers/PKGBUILD
is set to your GPG key,
* build and publish the package normally with libretools
* publish the PKGBUILD to abslibre
# Usage
## meta-check
Just run it, it will report any problems with hackers.git data.
## ssh-list-authorized-keys
Configure `sshd_config:AuthorizedKeysCommand` to be this program.
`sshd` will run it as `ssh-list-authorized-keys ${USERNAME}`
## postfix-generate-virtual-map
postfix-show-virtual-map > /etc/postfix/virtual-parabola.nu
postmap hash:/etc/postfix/virtual-parabola.nu
## pacman-make-keyring
pacman-make-keyring V=$(date -u +%Y%m%d)
scp parabola-keyring-$(date -u +%Y%m%d).tar.gz repo.parabola.nu:/srv/repo/main/other/parabola-keyring/
or
cd $(. "$(librelib conf)" && load_files makepkg && echo "$SRCDEST")
pacman-make-keyring V=$(date -u +%Y%m%d)
In the latter case, it would get uploaded auto-magically by
`librerelease` when you release a parabola-keyring with the matching
version.
## nshd
Either reboot, or run `systemd-sysusers` to create the nshd user.
Add `ldap` to the `passwd`, `group`, and `shadow` fields in
`/etc/nsswitch.conf`:
passwd: files ldap
group: files ldap
shadow: files ldap
Then enable and start `nshd.socket`:
systemctl enable --now nshd.socket
----
Copyright (C) 2014, 2016-2017 Luke Shumaker
Copyright (C) 2019 bill-auger
This documentation file is placed into the public domain. If that is
not possible in your legal system, I grant you permission to use it in
absolutely every way that I can legally grant to you.
|
